CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]
[linux-2.6.git] / security / selinux / hooks.c
1 /*
2  *  NSA Security-Enhanced Linux (SELinux) security module
3  *
4  *  This file contains the SELinux hook function implementations.
5  *
6  *  Authors:  Stephen Smalley, <sds@epoch.ncsc.mil>
7  *            Chris Vance, <cvance@nai.com>
8  *            Wayne Salamon, <wsalamon@nai.com>
9  *            James Morris <jmorris@redhat.com>
10  *
11  *  Copyright (C) 2001,2002 Networks Associates Technology, Inc.
12  *  Copyright (C) 2003-2008 Red Hat, Inc., James Morris <jmorris@redhat.com>
13  *                                         Eric Paris <eparis@redhat.com>
14  *  Copyright (C) 2004-2005 Trusted Computer Solutions, Inc.
15  *                          <dgoeddel@trustedcs.com>
16  *  Copyright (C) 2006, 2007 Hewlett-Packard Development Company, L.P.
17  *              Paul Moore <paul.moore@hp.com>
18  *  Copyright (C) 2007 Hitachi Software Engineering Co., Ltd.
19  *                     Yuichi Nakamura <ynakam@hitachisoft.jp>
20  *
21  *      This program is free software; you can redistribute it and/or modify
22  *      it under the terms of the GNU General Public License version 2,
23  *      as published by the Free Software Foundation.
24  */
25
26 #include <linux/init.h>
27 #include <linux/kernel.h>
28 #include <linux/tracehook.h>
29 #include <linux/errno.h>
30 #include <linux/sched.h>
31 #include <linux/security.h>
32 #include <linux/xattr.h>
33 #include <linux/capability.h>
34 #include <linux/unistd.h>
35 #include <linux/mm.h>
36 #include <linux/mman.h>
37 #include <linux/slab.h>
38 #include <linux/pagemap.h>
39 #include <linux/swap.h>
40 #include <linux/spinlock.h>
41 #include <linux/syscalls.h>
42 #include <linux/file.h>
43 #include <linux/fdtable.h>
44 #include <linux/namei.h>
45 #include <linux/mount.h>
46 #include <linux/proc_fs.h>
47 #include <linux/netfilter_ipv4.h>
48 #include <linux/netfilter_ipv6.h>
49 #include <linux/tty.h>
50 #include <net/icmp.h>
51 #include <net/ip.h>             /* for local_port_range[] */
52 #include <net/tcp.h>            /* struct or_callable used in sock_rcv_skb */
53 #include <net/net_namespace.h>
54 #include <net/netlabel.h>
55 #include <linux/uaccess.h>
56 #include <asm/ioctls.h>
57 #include <asm/atomic.h>
58 #include <linux/bitops.h>
59 #include <linux/interrupt.h>
60 #include <linux/netdevice.h>    /* for network interface checks */
61 #include <linux/netlink.h>
62 #include <linux/tcp.h>
63 #include <linux/udp.h>
64 #include <linux/dccp.h>
65 #include <linux/quota.h>
66 #include <linux/un.h>           /* for Unix socket types */
67 #include <net/af_unix.h>        /* for Unix socket types */
68 #include <linux/parser.h>
69 #include <linux/nfs_mount.h>
70 #include <net/ipv6.h>
71 #include <linux/hugetlb.h>
72 #include <linux/personality.h>
73 #include <linux/sysctl.h>
74 #include <linux/audit.h>
75 #include <linux/string.h>
76 #include <linux/selinux.h>
77 #include <linux/mutex.h>
78 #include <linux/posix-timers.h>
79
80 #include "avc.h"
81 #include "objsec.h"
82 #include "netif.h"
83 #include "netnode.h"
84 #include "netport.h"
85 #include "xfrm.h"
86 #include "netlabel.h"
87 #include "audit.h"
88
89 #define XATTR_SELINUX_SUFFIX "selinux"
90 #define XATTR_NAME_SELINUX XATTR_SECURITY_PREFIX XATTR_SELINUX_SUFFIX
91
92 #define NUM_SEL_MNT_OPTS 4
93
94 extern unsigned int policydb_loaded_version;
95 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
96 extern int selinux_compat_net;
97 extern struct security_operations *security_ops;
98
99 /* SECMARK reference count */
100 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
101
102 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
103 int selinux_enforcing;
104
105 static int __init enforcing_setup(char *str)
106 {
107         unsigned long enforcing;
108         if (!strict_strtoul(str, 0, &enforcing))
109                 selinux_enforcing = enforcing ? 1 : 0;
110         return 1;
111 }
112 __setup("enforcing=", enforcing_setup);
113 #endif
114
115 #ifdef CONFIG_SECURITY_SELINUX_BOOTPARAM
116 int selinux_enabled = CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE;
117
118 static int __init selinux_enabled_setup(char *str)
119 {
120         unsigned long enabled;
121         if (!strict_strtoul(str, 0, &enabled))
122                 selinux_enabled = enabled ? 1 : 0;
123         return 1;
124 }
125 __setup("selinux=", selinux_enabled_setup);
126 #else
127 int selinux_enabled = 1;
128 #endif
129
130
131 /*
132  * Minimal support for a secondary security module,
133  * just to allow the use of the capability module.
134  */
135 static struct security_operations *secondary_ops;
136
137 /* Lists of inode and superblock security structures initialized
138    before the policy was loaded. */
139 static LIST_HEAD(superblock_security_head);
140 static DEFINE_SPINLOCK(sb_security_lock);
141
142 static struct kmem_cache *sel_inode_cache;
143
144 /**
145  * selinux_secmark_enabled - Check to see if SECMARK is currently enabled
146  *
147  * Description:
148  * This function checks the SECMARK reference counter to see if any SECMARK
149  * targets are currently configured, if the reference counter is greater than
150  * zero SECMARK is considered to be enabled.  Returns true (1) if SECMARK is
151  * enabled, false (0) if SECMARK is disabled.
152  *
153  */
154 static int selinux_secmark_enabled(void)
155 {
156         return (atomic_read(&selinux_secmark_refcount) > 0);
157 }
158
159 /*
160  * initialise the security for the init task
161  */
162 static void cred_init_security(void)
163 {
164         struct cred *cred = (struct cred *) current->real_cred;
165         struct task_security_struct *tsec;
166
167         tsec = kzalloc(sizeof(struct task_security_struct), GFP_KERNEL);
168         if (!tsec)
169                 panic("SELinux:  Failed to initialize initial task.\n");
170
171         tsec->osid = tsec->sid = SECINITSID_KERNEL;
172         cred->security = tsec;
173 }
174
175 /*
176  * get the security ID of a set of credentials
177  */
178 static inline u32 cred_sid(const struct cred *cred)
179 {
180         const struct task_security_struct *tsec;
181
182         tsec = cred->security;
183         return tsec->sid;
184 }
185
186 /*
187  * get the objective security ID of a task
188  */
189 static inline u32 task_sid(const struct task_struct *task)
190 {
191         u32 sid;
192
193         rcu_read_lock();
194         sid = cred_sid(__task_cred(task));
195         rcu_read_unlock();
196         return sid;
197 }
198
199 /*
200  * get the subjective security ID of the current task
201  */
202 static inline u32 current_sid(void)
203 {
204         const struct task_security_struct *tsec = current_cred()->security;
205
206         return tsec->sid;
207 }
208
209 /* Allocate and free functions for each kind of security blob. */
210
211 static int inode_alloc_security(struct inode *inode)
212 {
213         struct inode_security_struct *isec;
214         u32 sid = current_sid();
215
216         isec = kmem_cache_zalloc(sel_inode_cache, GFP_NOFS);
217         if (!isec)
218                 return -ENOMEM;
219
220         mutex_init(&isec->lock);
221         INIT_LIST_HEAD(&isec->list);
222         isec->inode = inode;
223         isec->sid = SECINITSID_UNLABELED;
224         isec->sclass = SECCLASS_FILE;
225         isec->task_sid = sid;
226         inode->i_security = isec;
227
228         return 0;
229 }
230
231 static void inode_free_security(struct inode *inode)
232 {
233         struct inode_security_struct *isec = inode->i_security;
234         struct superblock_security_struct *sbsec = inode->i_sb->s_security;
235
236         spin_lock(&sbsec->isec_lock);
237         if (!list_empty(&isec->list))
238                 list_del_init(&isec->list);
239         spin_unlock(&sbsec->isec_lock);
240
241         inode->i_security = NULL;
242         kmem_cache_free(sel_inode_cache, isec);
243 }
244
245 static int file_alloc_security(struct file *file)
246 {
247         struct file_security_struct *fsec;
248         u32 sid = current_sid();
249
250         fsec = kzalloc(sizeof(struct file_security_struct), GFP_KERNEL);
251         if (!fsec)
252                 return -ENOMEM;
253
254         fsec->sid = sid;
255         fsec->fown_sid = sid;
256         file->f_security = fsec;
257
258         return 0;
259 }
260
261 static void file_free_security(struct file *file)
262 {
263         struct file_security_struct *fsec = file->f_security;
264         file->f_security = NULL;
265         kfree(fsec);
266 }
267
268 static int superblock_alloc_security(struct super_block *sb)
269 {
270         struct superblock_security_struct *sbsec;
271
272         sbsec = kzalloc(sizeof(struct superblock_security_struct), GFP_KERNEL);
273         if (!sbsec)
274                 return -ENOMEM;
275
276         mutex_init(&sbsec->lock);
277         INIT_LIST_HEAD(&sbsec->list);
278         INIT_LIST_HEAD(&sbsec->isec_head);
279         spin_lock_init(&sbsec->isec_lock);
280         sbsec->sb = sb;
281         sbsec->sid = SECINITSID_UNLABELED;
282         sbsec->def_sid = SECINITSID_FILE;
283         sbsec->mntpoint_sid = SECINITSID_UNLABELED;
284         sb->s_security = sbsec;
285
286         return 0;
287 }
288
289 static void superblock_free_security(struct super_block *sb)
290 {
291         struct superblock_security_struct *sbsec = sb->s_security;
292
293         spin_lock(&sb_security_lock);
294         if (!list_empty(&sbsec->list))
295                 list_del_init(&sbsec->list);
296         spin_unlock(&sb_security_lock);
297
298         sb->s_security = NULL;
299         kfree(sbsec);
300 }
301
302 static int sk_alloc_security(struct sock *sk, int family, gfp_t priority)
303 {
304         struct sk_security_struct *ssec;
305
306         ssec = kzalloc(sizeof(*ssec), priority);
307         if (!ssec)
308                 return -ENOMEM;
309
310         ssec->peer_sid = SECINITSID_UNLABELED;
311         ssec->sid = SECINITSID_UNLABELED;
312         sk->sk_security = ssec;
313
314         selinux_netlbl_sk_security_reset(ssec, family);
315
316         return 0;
317 }
318
319 static void sk_free_security(struct sock *sk)
320 {
321         struct sk_security_struct *ssec = sk->sk_security;
322
323         sk->sk_security = NULL;
324         selinux_netlbl_sk_security_free(ssec);
325         kfree(ssec);
326 }
327
328 /* The security server must be initialized before
329    any labeling or access decisions can be provided. */
330 extern int ss_initialized;
331
332 /* The file system's label must be initialized prior to use. */
333
334 static char *labeling_behaviors[6] = {
335         "uses xattr",
336         "uses transition SIDs",
337         "uses task SIDs",
338         "uses genfs_contexts",
339         "not configured for labeling",
340         "uses mountpoint labeling",
341 };
342
343 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry);
344
345 static inline int inode_doinit(struct inode *inode)
346 {
347         return inode_doinit_with_dentry(inode, NULL);
348 }
349
350 enum {
351         Opt_error = -1,
352         Opt_context = 1,
353         Opt_fscontext = 2,
354         Opt_defcontext = 3,
355         Opt_rootcontext = 4,
356 };
357
358 static const match_table_t tokens = {
359         {Opt_context, CONTEXT_STR "%s"},
360         {Opt_fscontext, FSCONTEXT_STR "%s"},
361         {Opt_defcontext, DEFCONTEXT_STR "%s"},
362         {Opt_rootcontext, ROOTCONTEXT_STR "%s"},
363         {Opt_error, NULL},
364 };
365
366 #define SEL_MOUNT_FAIL_MSG "SELinux:  duplicate or incompatible mount options\n"
367
368 static int may_context_mount_sb_relabel(u32 sid,
369                         struct superblock_security_struct *sbsec,
370                         const struct cred *cred)
371 {
372         const struct task_security_struct *tsec = cred->security;
373         int rc;
374
375         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
376                           FILESYSTEM__RELABELFROM, NULL);
377         if (rc)
378                 return rc;
379
380         rc = avc_has_perm(tsec->sid, sid, SECCLASS_FILESYSTEM,
381                           FILESYSTEM__RELABELTO, NULL);
382         return rc;
383 }
384
385 static int may_context_mount_inode_relabel(u32 sid,
386                         struct superblock_security_struct *sbsec,
387                         const struct cred *cred)
388 {
389         const struct task_security_struct *tsec = cred->security;
390         int rc;
391         rc = avc_has_perm(tsec->sid, sbsec->sid, SECCLASS_FILESYSTEM,
392                           FILESYSTEM__RELABELFROM, NULL);
393         if (rc)
394                 return rc;
395
396         rc = avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM,
397                           FILESYSTEM__ASSOCIATE, NULL);
398         return rc;
399 }
400
401 static int sb_finish_set_opts(struct super_block *sb)
402 {
403         struct superblock_security_struct *sbsec = sb->s_security;
404         struct dentry *root = sb->s_root;
405         struct inode *root_inode = root->d_inode;
406         int rc = 0;
407
408         if (sbsec->behavior == SECURITY_FS_USE_XATTR) {
409                 /* Make sure that the xattr handler exists and that no
410                    error other than -ENODATA is returned by getxattr on
411                    the root directory.  -ENODATA is ok, as this may be
412                    the first boot of the SELinux kernel before we have
413                    assigned xattr values to the filesystem. */
414                 if (!root_inode->i_op->getxattr) {
415                         printk(KERN_WARNING "SELinux: (dev %s, type %s) has no "
416                                "xattr support\n", sb->s_id, sb->s_type->name);
417                         rc = -EOPNOTSUPP;
418                         goto out;
419                 }
420                 rc = root_inode->i_op->getxattr(root, XATTR_NAME_SELINUX, NULL, 0);
421                 if (rc < 0 && rc != -ENODATA) {
422                         if (rc == -EOPNOTSUPP)
423                                 printk(KERN_WARNING "SELinux: (dev %s, type "
424                                        "%s) has no security xattr handler\n",
425                                        sb->s_id, sb->s_type->name);
426                         else
427                                 printk(KERN_WARNING "SELinux: (dev %s, type "
428                                        "%s) getxattr errno %d\n", sb->s_id,
429                                        sb->s_type->name, -rc);
430                         goto out;
431                 }
432         }
433
434         sbsec->initialized = 1;
435
436         if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors))
437                 printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
438                        sb->s_id, sb->s_type->name);
439         else
440                 printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
441                        sb->s_id, sb->s_type->name,
442                        labeling_behaviors[sbsec->behavior-1]);
443
444         /* Initialize the root inode. */
445         rc = inode_doinit_with_dentry(root_inode, root);
446
447         /* Initialize any other inodes associated with the superblock, e.g.
448            inodes created prior to initial policy load or inodes created
449            during get_sb by a pseudo filesystem that directly
450            populates itself. */
451         spin_lock(&sbsec->isec_lock);
452 next_inode:
453         if (!list_empty(&sbsec->isec_head)) {
454                 struct inode_security_struct *isec =
455                                 list_entry(sbsec->isec_head.next,
456                                            struct inode_security_struct, list);
457                 struct inode *inode = isec->inode;
458                 spin_unlock(&sbsec->isec_lock);
459                 inode = igrab(inode);
460                 if (inode) {
461                         if (!IS_PRIVATE(inode))
462                                 inode_doinit(inode);
463                         iput(inode);
464                 }
465                 spin_lock(&sbsec->isec_lock);
466                 list_del_init(&isec->list);
467                 goto next_inode;
468         }
469         spin_unlock(&sbsec->isec_lock);
470 out:
471         return rc;
472 }
473
474 /*
475  * This function should allow an FS to ask what it's mount security
476  * options were so it can use those later for submounts, displaying
477  * mount options, or whatever.
478  */
479 static int selinux_get_mnt_opts(const struct super_block *sb,
480                                 struct security_mnt_opts *opts)
481 {
482         int rc = 0, i;
483         struct superblock_security_struct *sbsec = sb->s_security;
484         char *context = NULL;
485         u32 len;
486         char tmp;
487
488         security_init_mnt_opts(opts);
489
490         if (!sbsec->initialized)
491                 return -EINVAL;
492
493         if (!ss_initialized)
494                 return -EINVAL;
495
496         /*
497          * if we ever use sbsec flags for anything other than tracking mount
498          * settings this is going to need a mask
499          */
500         tmp = sbsec->flags;
501         /* count the number of mount options for this sb */
502         for (i = 0; i < 8; i++) {
503                 if (tmp & 0x01)
504                         opts->num_mnt_opts++;
505                 tmp >>= 1;
506         }
507
508         opts->mnt_opts = kcalloc(opts->num_mnt_opts, sizeof(char *), GFP_ATOMIC);
509         if (!opts->mnt_opts) {
510                 rc = -ENOMEM;
511                 goto out_free;
512         }
513
514         opts->mnt_opts_flags = kcalloc(opts->num_mnt_opts, sizeof(int), GFP_ATOMIC);
515         if (!opts->mnt_opts_flags) {
516                 rc = -ENOMEM;
517                 goto out_free;
518         }
519
520         i = 0;
521         if (sbsec->flags & FSCONTEXT_MNT) {
522                 rc = security_sid_to_context(sbsec->sid, &context, &len);
523                 if (rc)
524                         goto out_free;
525                 opts->mnt_opts[i] = context;
526                 opts->mnt_opts_flags[i++] = FSCONTEXT_MNT;
527         }
528         if (sbsec->flags & CONTEXT_MNT) {
529                 rc = security_sid_to_context(sbsec->mntpoint_sid, &context, &len);
530                 if (rc)
531                         goto out_free;
532                 opts->mnt_opts[i] = context;
533                 opts->mnt_opts_flags[i++] = CONTEXT_MNT;
534         }
535         if (sbsec->flags & DEFCONTEXT_MNT) {
536                 rc = security_sid_to_context(sbsec->def_sid, &context, &len);
537                 if (rc)
538                         goto out_free;
539                 opts->mnt_opts[i] = context;
540                 opts->mnt_opts_flags[i++] = DEFCONTEXT_MNT;
541         }
542         if (sbsec->flags & ROOTCONTEXT_MNT) {
543                 struct inode *root = sbsec->sb->s_root->d_inode;
544                 struct inode_security_struct *isec = root->i_security;
545
546                 rc = security_sid_to_context(isec->sid, &context, &len);
547                 if (rc)
548                         goto out_free;
549                 opts->mnt_opts[i] = context;
550                 opts->mnt_opts_flags[i++] = ROOTCONTEXT_MNT;
551         }
552
553         BUG_ON(i != opts->num_mnt_opts);
554
555         return 0;
556
557 out_free:
558         security_free_mnt_opts(opts);
559         return rc;
560 }
561
562 static int bad_option(struct superblock_security_struct *sbsec, char flag,
563                       u32 old_sid, u32 new_sid)
564 {
565         /* check if the old mount command had the same options */
566         if (sbsec->initialized)
567                 if (!(sbsec->flags & flag) ||
568                     (old_sid != new_sid))
569                         return 1;
570
571         /* check if we were passed the same options twice,
572          * aka someone passed context=a,context=b
573          */
574         if (!sbsec->initialized)
575                 if (sbsec->flags & flag)
576                         return 1;
577         return 0;
578 }
579
580 /*
581  * Allow filesystems with binary mount data to explicitly set mount point
582  * labeling information.
583  */
584 static int selinux_set_mnt_opts(struct super_block *sb,
585                                 struct security_mnt_opts *opts)
586 {
587         const struct cred *cred = current_cred();
588         int rc = 0, i;
589         struct superblock_security_struct *sbsec = sb->s_security;
590         const char *name = sb->s_type->name;
591         struct inode *inode = sbsec->sb->s_root->d_inode;
592         struct inode_security_struct *root_isec = inode->i_security;
593         u32 fscontext_sid = 0, context_sid = 0, rootcontext_sid = 0;
594         u32 defcontext_sid = 0;
595         char **mount_options = opts->mnt_opts;
596         int *flags = opts->mnt_opts_flags;
597         int num_opts = opts->num_mnt_opts;
598
599         mutex_lock(&sbsec->lock);
600
601         if (!ss_initialized) {
602                 if (!num_opts) {
603                         /* Defer initialization until selinux_complete_init,
604                            after the initial policy is loaded and the security
605                            server is ready to handle calls. */
606                         spin_lock(&sb_security_lock);
607                         if (list_empty(&sbsec->list))
608                                 list_add(&sbsec->list, &superblock_security_head);
609                         spin_unlock(&sb_security_lock);
610                         goto out;
611                 }
612                 rc = -EINVAL;
613                 printk(KERN_WARNING "SELinux: Unable to set superblock options "
614                         "before the security server is initialized\n");
615                 goto out;
616         }
617
618         /*
619          * Binary mount data FS will come through this function twice.  Once
620          * from an explicit call and once from the generic calls from the vfs.
621          * Since the generic VFS calls will not contain any security mount data
622          * we need to skip the double mount verification.
623          *
624          * This does open a hole in which we will not notice if the first
625          * mount using this sb set explict options and a second mount using
626          * this sb does not set any security options.  (The first options
627          * will be used for both mounts)
628          */
629         if (sbsec->initialized && (sb->s_type->fs_flags & FS_BINARY_MOUNTDATA)
630             && (num_opts == 0))
631                 goto out;
632
633         /*
634          * parse the mount options, check if they are valid sids.
635          * also check if someone is trying to mount the same sb more
636          * than once with different security options.
637          */
638         for (i = 0; i < num_opts; i++) {
639                 u32 sid;
640                 rc = security_context_to_sid(mount_options[i],
641                                              strlen(mount_options[i]), &sid);
642                 if (rc) {
643                         printk(KERN_WARNING "SELinux: security_context_to_sid"
644                                "(%s) failed for (dev %s, type %s) errno=%d\n",
645                                mount_options[i], sb->s_id, name, rc);
646                         goto out;
647                 }
648                 switch (flags[i]) {
649                 case FSCONTEXT_MNT:
650                         fscontext_sid = sid;
651
652                         if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
653                                         fscontext_sid))
654                                 goto out_double_mount;
655
656                         sbsec->flags |= FSCONTEXT_MNT;
657                         break;
658                 case CONTEXT_MNT:
659                         context_sid = sid;
660
661                         if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
662                                         context_sid))
663                                 goto out_double_mount;
664
665                         sbsec->flags |= CONTEXT_MNT;
666                         break;
667                 case ROOTCONTEXT_MNT:
668                         rootcontext_sid = sid;
669
670                         if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
671                                         rootcontext_sid))
672                                 goto out_double_mount;
673
674                         sbsec->flags |= ROOTCONTEXT_MNT;
675
676                         break;
677                 case DEFCONTEXT_MNT:
678                         defcontext_sid = sid;
679
680                         if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
681                                         defcontext_sid))
682                                 goto out_double_mount;
683
684                         sbsec->flags |= DEFCONTEXT_MNT;
685
686                         break;
687                 default:
688                         rc = -EINVAL;
689                         goto out;
690                 }
691         }
692
693         if (sbsec->initialized) {
694                 /* previously mounted with options, but not on this attempt? */
695                 if (sbsec->flags && !num_opts)
696                         goto out_double_mount;
697                 rc = 0;
698                 goto out;
699         }
700
701         if (strcmp(sb->s_type->name, "proc") == 0)
702                 sbsec->proc = 1;
703
704         /* Determine the labeling behavior to use for this filesystem type. */
705         rc = security_fs_use(sbsec->proc ? "proc" : sb->s_type->name, &sbsec->behavior, &sbsec->sid);
706         if (rc) {
707                 printk(KERN_WARNING "%s: security_fs_use(%s) returned %d\n",
708                        __func__, sb->s_type->name, rc);
709                 goto out;
710         }
711
712         /* sets the context of the superblock for the fs being mounted. */
713         if (fscontext_sid) {
714                 rc = may_context_mount_sb_relabel(fscontext_sid, sbsec, cred);
715                 if (rc)
716                         goto out;
717
718                 sbsec->sid = fscontext_sid;
719         }
720
721         /*
722          * Switch to using mount point labeling behavior.
723          * sets the label used on all file below the mountpoint, and will set
724          * the superblock context if not already set.
725          */
726         if (context_sid) {
727                 if (!fscontext_sid) {
728                         rc = may_context_mount_sb_relabel(context_sid, sbsec,
729                                                           cred);
730                         if (rc)
731                                 goto out;
732                         sbsec->sid = context_sid;
733                 } else {
734                         rc = may_context_mount_inode_relabel(context_sid, sbsec,
735                                                              cred);
736                         if (rc)
737                                 goto out;
738                 }
739                 if (!rootcontext_sid)
740                         rootcontext_sid = context_sid;
741
742                 sbsec->mntpoint_sid = context_sid;
743                 sbsec->behavior = SECURITY_FS_USE_MNTPOINT;
744         }
745
746         if (rootcontext_sid) {
747                 rc = may_context_mount_inode_relabel(rootcontext_sid, sbsec,
748                                                      cred);
749                 if (rc)
750                         goto out;
751
752                 root_isec->sid = rootcontext_sid;
753                 root_isec->initialized = 1;
754         }
755
756         if (defcontext_sid) {
757                 if (sbsec->behavior != SECURITY_FS_USE_XATTR) {
758                         rc = -EINVAL;
759                         printk(KERN_WARNING "SELinux: defcontext option is "
760                                "invalid for this filesystem type\n");
761                         goto out;
762                 }
763
764                 if (defcontext_sid != sbsec->def_sid) {
765                         rc = may_context_mount_inode_relabel(defcontext_sid,
766                                                              sbsec, cred);
767                         if (rc)
768                                 goto out;
769                 }
770
771                 sbsec->def_sid = defcontext_sid;
772         }
773
774         rc = sb_finish_set_opts(sb);
775 out:
776         mutex_unlock(&sbsec->lock);
777         return rc;
778 out_double_mount:
779         rc = -EINVAL;
780         printk(KERN_WARNING "SELinux: mount invalid.  Same superblock, different "
781                "security settings for (dev %s, type %s)\n", sb->s_id, name);
782         goto out;
783 }
784
785 static void selinux_sb_clone_mnt_opts(const struct super_block *oldsb,
786                                         struct super_block *newsb)
787 {
788         const struct superblock_security_struct *oldsbsec = oldsb->s_security;
789         struct superblock_security_struct *newsbsec = newsb->s_security;
790
791         int set_fscontext =     (oldsbsec->flags & FSCONTEXT_MNT);
792         int set_context =       (oldsbsec->flags & CONTEXT_MNT);
793         int set_rootcontext =   (oldsbsec->flags & ROOTCONTEXT_MNT);
794
795         /*
796          * if the parent was able to be mounted it clearly had no special lsm
797          * mount options.  thus we can safely put this sb on the list and deal
798          * with it later
799          */
800         if (!ss_initialized) {
801                 spin_lock(&sb_security_lock);
802                 if (list_empty(&newsbsec->list))
803                         list_add(&newsbsec->list, &superblock_security_head);
804                 spin_unlock(&sb_security_lock);
805                 return;
806         }
807
808         /* how can we clone if the old one wasn't set up?? */
809         BUG_ON(!oldsbsec->initialized);
810
811         /* if fs is reusing a sb, just let its options stand... */
812         if (newsbsec->initialized)
813                 return;
814
815         mutex_lock(&newsbsec->lock);
816
817         newsbsec->flags = oldsbsec->flags;
818
819         newsbsec->sid = oldsbsec->sid;
820         newsbsec->def_sid = oldsbsec->def_sid;
821         newsbsec->behavior = oldsbsec->behavior;
822
823         if (set_context) {
824                 u32 sid = oldsbsec->mntpoint_sid;
825
826                 if (!set_fscontext)
827                         newsbsec->sid = sid;
828                 if (!set_rootcontext) {
829                         struct inode *newinode = newsb->s_root->d_inode;
830                         struct inode_security_struct *newisec = newinode->i_security;
831                         newisec->sid = sid;
832                 }
833                 newsbsec->mntpoint_sid = sid;
834         }
835         if (set_rootcontext) {
836                 const struct inode *oldinode = oldsb->s_root->d_inode;
837                 const struct inode_security_struct *oldisec = oldinode->i_security;
838                 struct inode *newinode = newsb->s_root->d_inode;
839                 struct inode_security_struct *newisec = newinode->i_security;
840
841                 newisec->sid = oldisec->sid;
842         }
843
844         sb_finish_set_opts(newsb);
845         mutex_unlock(&newsbsec->lock);
846 }
847
848 static int selinux_parse_opts_str(char *options,
849                                   struct security_mnt_opts *opts)
850 {
851         char *p;
852         char *context = NULL, *defcontext = NULL;
853         char *fscontext = NULL, *rootcontext = NULL;
854         int rc, num_mnt_opts = 0;
855
856         opts->num_mnt_opts = 0;
857
858         /* Standard string-based options. */
859         while ((p = strsep(&options, "|")) != NULL) {
860                 int token;
861                 substring_t args[MAX_OPT_ARGS];
862
863                 if (!*p)
864                         continue;
865
866                 token = match_token(p, tokens, args);
867
868                 switch (token) {
869                 case Opt_context:
870                         if (context || defcontext) {
871                                 rc = -EINVAL;
872                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
873                                 goto out_err;
874                         }
875                         context = match_strdup(&args[0]);
876                         if (!context) {
877                                 rc = -ENOMEM;
878                                 goto out_err;
879                         }
880                         break;
881
882                 case Opt_fscontext:
883                         if (fscontext) {
884                                 rc = -EINVAL;
885                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
886                                 goto out_err;
887                         }
888                         fscontext = match_strdup(&args[0]);
889                         if (!fscontext) {
890                                 rc = -ENOMEM;
891                                 goto out_err;
892                         }
893                         break;
894
895                 case Opt_rootcontext:
896                         if (rootcontext) {
897                                 rc = -EINVAL;
898                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
899                                 goto out_err;
900                         }
901                         rootcontext = match_strdup(&args[0]);
902                         if (!rootcontext) {
903                                 rc = -ENOMEM;
904                                 goto out_err;
905                         }
906                         break;
907
908                 case Opt_defcontext:
909                         if (context || defcontext) {
910                                 rc = -EINVAL;
911                                 printk(KERN_WARNING SEL_MOUNT_FAIL_MSG);
912                                 goto out_err;
913                         }
914                         defcontext = match_strdup(&args[0]);
915                         if (!defcontext) {
916                                 rc = -ENOMEM;
917                                 goto out_err;
918                         }
919                         break;
920
921                 default:
922                         rc = -EINVAL;
923                         printk(KERN_WARNING "SELinux:  unknown mount option\n");
924                         goto out_err;
925
926                 }
927         }
928
929         rc = -ENOMEM;
930         opts->mnt_opts = kcalloc(NUM_SEL_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
931         if (!opts->mnt_opts)
932                 goto out_err;
933
934         opts->mnt_opts_flags = kcalloc(NUM_SEL_MNT_OPTS, sizeof(int), GFP_ATOMIC);
935         if (!opts->mnt_opts_flags) {
936                 kfree(opts->mnt_opts);
937                 goto out_err;
938         }
939
940         if (fscontext) {
941                 opts->mnt_opts[num_mnt_opts] = fscontext;
942                 opts->mnt_opts_flags[num_mnt_opts++] = FSCONTEXT_MNT;
943         }
944         if (context) {
945                 opts->mnt_opts[num_mnt_opts] = context;
946                 opts->mnt_opts_flags[num_mnt_opts++] = CONTEXT_MNT;
947         }
948         if (rootcontext) {
949                 opts->mnt_opts[num_mnt_opts] = rootcontext;
950                 opts->mnt_opts_flags[num_mnt_opts++] = ROOTCONTEXT_MNT;
951         }
952         if (defcontext) {
953                 opts->mnt_opts[num_mnt_opts] = defcontext;
954                 opts->mnt_opts_flags[num_mnt_opts++] = DEFCONTEXT_MNT;
955         }
956
957         opts->num_mnt_opts = num_mnt_opts;
958         return 0;
959
960 out_err:
961         kfree(context);
962         kfree(defcontext);
963         kfree(fscontext);
964         kfree(rootcontext);
965         return rc;
966 }
967 /*
968  * string mount options parsing and call set the sbsec
969  */
970 static int superblock_doinit(struct super_block *sb, void *data)
971 {
972         int rc = 0;
973         char *options = data;
974         struct security_mnt_opts opts;
975
976         security_init_mnt_opts(&opts);
977
978         if (!data)
979                 goto out;
980
981         BUG_ON(sb->s_type->fs_flags & FS_BINARY_MOUNTDATA);
982
983         rc = selinux_parse_opts_str(options, &opts);
984         if (rc)
985                 goto out_err;
986
987 out:
988         rc = selinux_set_mnt_opts(sb, &opts);
989
990 out_err:
991         security_free_mnt_opts(&opts);
992         return rc;
993 }
994
995 static void selinux_write_opts(struct seq_file *m,
996                                struct security_mnt_opts *opts)
997 {
998         int i;
999         char *prefix;
1000
1001         for (i = 0; i < opts->num_mnt_opts; i++) {
1002                 char *has_comma = strchr(opts->mnt_opts[i], ',');
1003
1004                 switch (opts->mnt_opts_flags[i]) {
1005                 case CONTEXT_MNT:
1006                         prefix = CONTEXT_STR;
1007                         break;
1008                 case FSCONTEXT_MNT:
1009                         prefix = FSCONTEXT_STR;
1010                         break;
1011                 case ROOTCONTEXT_MNT:
1012                         prefix = ROOTCONTEXT_STR;
1013                         break;
1014                 case DEFCONTEXT_MNT:
1015                         prefix = DEFCONTEXT_STR;
1016                         break;
1017                 default:
1018                         BUG();
1019                 };
1020                 /* we need a comma before each option */
1021                 seq_putc(m, ',');
1022                 seq_puts(m, prefix);
1023                 if (has_comma)
1024                         seq_putc(m, '\"');
1025                 seq_puts(m, opts->mnt_opts[i]);
1026                 if (has_comma)
1027                         seq_putc(m, '\"');
1028         }
1029 }
1030
1031 static int selinux_sb_show_options(struct seq_file *m, struct super_block *sb)
1032 {
1033         struct security_mnt_opts opts;
1034         int rc;
1035
1036         rc = selinux_get_mnt_opts(sb, &opts);
1037         if (rc) {
1038                 /* before policy load we may get EINVAL, don't show anything */
1039                 if (rc == -EINVAL)
1040                         rc = 0;
1041                 return rc;
1042         }
1043
1044         selinux_write_opts(m, &opts);
1045
1046         security_free_mnt_opts(&opts);
1047
1048         return rc;
1049 }
1050
1051 static inline u16 inode_mode_to_security_class(umode_t mode)
1052 {
1053         switch (mode & S_IFMT) {
1054         case S_IFSOCK:
1055                 return SECCLASS_SOCK_FILE;
1056         case S_IFLNK:
1057                 return SECCLASS_LNK_FILE;
1058         case S_IFREG:
1059                 return SECCLASS_FILE;
1060         case S_IFBLK:
1061                 return SECCLASS_BLK_FILE;
1062         case S_IFDIR:
1063                 return SECCLASS_DIR;
1064         case S_IFCHR:
1065                 return SECCLASS_CHR_FILE;
1066         case S_IFIFO:
1067                 return SECCLASS_FIFO_FILE;
1068
1069         }
1070
1071         return SECCLASS_FILE;
1072 }
1073
1074 static inline int default_protocol_stream(int protocol)
1075 {
1076         return (protocol == IPPROTO_IP || protocol == IPPROTO_TCP);
1077 }
1078
1079 static inline int default_protocol_dgram(int protocol)
1080 {
1081         return (protocol == IPPROTO_IP || protocol == IPPROTO_UDP);
1082 }
1083
1084 static inline u16 socket_type_to_security_class(int family, int type, int protocol)
1085 {
1086         switch (family) {
1087         case PF_UNIX:
1088                 switch (type) {
1089                 case SOCK_STREAM:
1090                 case SOCK_SEQPACKET:
1091                         return SECCLASS_UNIX_STREAM_SOCKET;
1092                 case SOCK_DGRAM:
1093                         return SECCLASS_UNIX_DGRAM_SOCKET;
1094                 }
1095                 break;
1096         case PF_INET:
1097         case PF_INET6:
1098                 switch (type) {
1099                 case SOCK_STREAM:
1100                         if (default_protocol_stream(protocol))
1101                                 return SECCLASS_TCP_SOCKET;
1102                         else
1103                                 return SECCLASS_RAWIP_SOCKET;
1104                 case SOCK_DGRAM:
1105                         if (default_protocol_dgram(protocol))
1106                                 return SECCLASS_UDP_SOCKET;
1107                         else
1108                                 return SECCLASS_RAWIP_SOCKET;
1109                 case SOCK_DCCP:
1110                         return SECCLASS_DCCP_SOCKET;
1111                 default:
1112                         return SECCLASS_RAWIP_SOCKET;
1113                 }
1114                 break;
1115         case PF_NETLINK:
1116                 switch (protocol) {
1117                 case NETLINK_ROUTE:
1118                         return SECCLASS_NETLINK_ROUTE_SOCKET;
1119                 case NETLINK_FIREWALL:
1120                         return SECCLASS_NETLINK_FIREWALL_SOCKET;
1121                 case NETLINK_INET_DIAG:
1122                         return SECCLASS_NETLINK_TCPDIAG_SOCKET;
1123                 case NETLINK_NFLOG:
1124                         return SECCLASS_NETLINK_NFLOG_SOCKET;
1125                 case NETLINK_XFRM:
1126                         return SECCLASS_NETLINK_XFRM_SOCKET;
1127                 case NETLINK_SELINUX:
1128                         return SECCLASS_NETLINK_SELINUX_SOCKET;
1129                 case NETLINK_AUDIT:
1130                         return SECCLASS_NETLINK_AUDIT_SOCKET;
1131                 case NETLINK_IP6_FW:
1132                         return SECCLASS_NETLINK_IP6FW_SOCKET;
1133                 case NETLINK_DNRTMSG:
1134                         return SECCLASS_NETLINK_DNRT_SOCKET;
1135                 case NETLINK_KOBJECT_UEVENT:
1136                         return SECCLASS_NETLINK_KOBJECT_UEVENT_SOCKET;
1137                 default:
1138                         return SECCLASS_NETLINK_SOCKET;
1139                 }
1140         case PF_PACKET:
1141                 return SECCLASS_PACKET_SOCKET;
1142         case PF_KEY:
1143                 return SECCLASS_KEY_SOCKET;
1144         case PF_APPLETALK:
1145                 return SECCLASS_APPLETALK_SOCKET;
1146         }
1147
1148         return SECCLASS_SOCKET;
1149 }
1150
1151 #ifdef CONFIG_PROC_FS
1152 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1153                                 u16 tclass,
1154                                 u32 *sid)
1155 {
1156         int buflen, rc;
1157         char *buffer, *path, *end;
1158
1159         buffer = (char *)__get_free_page(GFP_KERNEL);
1160         if (!buffer)
1161                 return -ENOMEM;
1162
1163         buflen = PAGE_SIZE;
1164         end = buffer+buflen;
1165         *--end = '\0';
1166         buflen--;
1167         path = end-1;
1168         *path = '/';
1169         while (de && de != de->parent) {
1170                 buflen -= de->namelen + 1;
1171                 if (buflen < 0)
1172                         break;
1173                 end -= de->namelen;
1174                 memcpy(end, de->name, de->namelen);
1175                 *--end = '/';
1176                 path = end;
1177                 de = de->parent;
1178         }
1179         rc = security_genfs_sid("proc", path, tclass, sid);
1180         free_page((unsigned long)buffer);
1181         return rc;
1182 }
1183 #else
1184 static int selinux_proc_get_sid(struct proc_dir_entry *de,
1185                                 u16 tclass,
1186                                 u32 *sid)
1187 {
1188         return -EINVAL;
1189 }
1190 #endif
1191
1192 /* The inode's security attributes must be initialized before first use. */
1193 static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dentry)
1194 {
1195         struct superblock_security_struct *sbsec = NULL;
1196         struct inode_security_struct *isec = inode->i_security;
1197         u32 sid;
1198         struct dentry *dentry;
1199 #define INITCONTEXTLEN 255
1200         char *context = NULL;
1201         unsigned len = 0;
1202         int rc = 0;
1203
1204         if (isec->initialized)
1205                 goto out;
1206
1207         mutex_lock(&isec->lock);
1208         if (isec->initialized)
1209                 goto out_unlock;
1210
1211         sbsec = inode->i_sb->s_security;
1212         if (!sbsec->initialized) {
1213                 /* Defer initialization until selinux_complete_init,
1214                    after the initial policy is loaded and the security
1215                    server is ready to handle calls. */
1216                 spin_lock(&sbsec->isec_lock);
1217                 if (list_empty(&isec->list))
1218                         list_add(&isec->list, &sbsec->isec_head);
1219                 spin_unlock(&sbsec->isec_lock);
1220                 goto out_unlock;
1221         }
1222
1223         switch (sbsec->behavior) {
1224         case SECURITY_FS_USE_XATTR:
1225                 if (!inode->i_op->getxattr) {
1226                         isec->sid = sbsec->def_sid;
1227                         break;
1228                 }
1229
1230                 /* Need a dentry, since the xattr API requires one.
1231                    Life would be simpler if we could just pass the inode. */
1232                 if (opt_dentry) {
1233                         /* Called from d_instantiate or d_splice_alias. */
1234                         dentry = dget(opt_dentry);
1235                 } else {
1236                         /* Called from selinux_complete_init, try to find a dentry. */
1237                         dentry = d_find_alias(inode);
1238                 }
1239                 if (!dentry) {
1240                         printk(KERN_WARNING "SELinux: %s:  no dentry for dev=%s "
1241                                "ino=%ld\n", __func__, inode->i_sb->s_id,
1242                                inode->i_ino);
1243                         goto out_unlock;
1244                 }
1245
1246                 len = INITCONTEXTLEN;
1247                 context = kmalloc(len, GFP_NOFS);
1248                 if (!context) {
1249                         rc = -ENOMEM;
1250                         dput(dentry);
1251                         goto out_unlock;
1252                 }
1253                 rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1254                                            context, len);
1255                 if (rc == -ERANGE) {
1256                         /* Need a larger buffer.  Query for the right size. */
1257                         rc = inode->i_op->getxattr(dentry, XATTR_NAME_SELINUX,
1258                                                    NULL, 0);
1259                         if (rc < 0) {
1260                                 dput(dentry);
1261                                 goto out_unlock;
1262                         }
1263                         kfree(context);
1264                         len = rc;
1265                         context = kmalloc(len, GFP_NOFS);
1266                         if (!context) {
1267                                 rc = -ENOMEM;
1268                                 dput(dentry);
1269                                 goto out_unlock;
1270                         }
1271                         rc = inode->i_op->getxattr(dentry,
1272                                                    XATTR_NAME_SELINUX,
1273                                                    context, len);
1274                 }
1275                 dput(dentry);
1276                 if (rc < 0) {
1277                         if (rc != -ENODATA) {
1278                                 printk(KERN_WARNING "SELinux: %s:  getxattr returned "
1279                                        "%d for dev=%s ino=%ld\n", __func__,
1280                                        -rc, inode->i_sb->s_id, inode->i_ino);
1281                                 kfree(context);
1282                                 goto out_unlock;
1283                         }
1284                         /* Map ENODATA to the default file SID */
1285                         sid = sbsec->def_sid;
1286                         rc = 0;
1287                 } else {
1288                         rc = security_context_to_sid_default(context, rc, &sid,
1289                                                              sbsec->def_sid,
1290                                                              GFP_NOFS);
1291                         if (rc) {
1292                                 printk(KERN_WARNING "SELinux: %s:  context_to_sid(%s) "
1293                                        "returned %d for dev=%s ino=%ld\n",
1294                                        __func__, context, -rc,
1295                                        inode->i_sb->s_id, inode->i_ino);
1296                                 kfree(context);
1297                                 /* Leave with the unlabeled SID */
1298                                 rc = 0;
1299                                 break;
1300                         }
1301                 }
1302                 kfree(context);
1303                 isec->sid = sid;
1304                 break;
1305         case SECURITY_FS_USE_TASK:
1306                 isec->sid = isec->task_sid;
1307                 break;
1308         case SECURITY_FS_USE_TRANS:
1309                 /* Default to the fs SID. */
1310                 isec->sid = sbsec->sid;
1311
1312                 /* Try to obtain a transition SID. */
1313                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1314                 rc = security_transition_sid(isec->task_sid,
1315                                              sbsec->sid,
1316                                              isec->sclass,
1317                                              &sid);
1318                 if (rc)
1319                         goto out_unlock;
1320                 isec->sid = sid;
1321                 break;
1322         case SECURITY_FS_USE_MNTPOINT:
1323                 isec->sid = sbsec->mntpoint_sid;
1324                 break;
1325         default:
1326                 /* Default to the fs superblock SID. */
1327                 isec->sid = sbsec->sid;
1328
1329                 if (sbsec->proc && !S_ISLNK(inode->i_mode)) {
1330                         struct proc_inode *proci = PROC_I(inode);
1331                         if (proci->pde) {
1332                                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1333                                 rc = selinux_proc_get_sid(proci->pde,
1334                                                           isec->sclass,
1335                                                           &sid);
1336                                 if (rc)
1337                                         goto out_unlock;
1338                                 isec->sid = sid;
1339                         }
1340                 }
1341                 break;
1342         }
1343
1344         isec->initialized = 1;
1345
1346 out_unlock:
1347         mutex_unlock(&isec->lock);
1348 out:
1349         if (isec->sclass == SECCLASS_FILE)
1350                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
1351         return rc;
1352 }
1353
1354 /* Convert a Linux signal to an access vector. */
1355 static inline u32 signal_to_av(int sig)
1356 {
1357         u32 perm = 0;
1358
1359         switch (sig) {
1360         case SIGCHLD:
1361                 /* Commonly granted from child to parent. */
1362                 perm = PROCESS__SIGCHLD;
1363                 break;
1364         case SIGKILL:
1365                 /* Cannot be caught or ignored */
1366                 perm = PROCESS__SIGKILL;
1367                 break;
1368         case SIGSTOP:
1369                 /* Cannot be caught or ignored */
1370                 perm = PROCESS__SIGSTOP;
1371                 break;
1372         default:
1373                 /* All other signals. */
1374                 perm = PROCESS__SIGNAL;
1375                 break;
1376         }
1377
1378         return perm;
1379 }
1380
1381 /*
1382  * Check permission between a pair of credentials
1383  * fork check, ptrace check, etc.
1384  */
1385 static int cred_has_perm(const struct cred *actor,
1386                          const struct cred *target,
1387                          u32 perms)
1388 {
1389         u32 asid = cred_sid(actor), tsid = cred_sid(target);
1390
1391         return avc_has_perm(asid, tsid, SECCLASS_PROCESS, perms, NULL);
1392 }
1393
1394 /*
1395  * Check permission between a pair of tasks, e.g. signal checks,
1396  * fork check, ptrace check, etc.
1397  * tsk1 is the actor and tsk2 is the target
1398  * - this uses the default subjective creds of tsk1
1399  */
1400 static int task_has_perm(const struct task_struct *tsk1,
1401                          const struct task_struct *tsk2,
1402                          u32 perms)
1403 {
1404         const struct task_security_struct *__tsec1, *__tsec2;
1405         u32 sid1, sid2;
1406
1407         rcu_read_lock();
1408         __tsec1 = __task_cred(tsk1)->security;  sid1 = __tsec1->sid;
1409         __tsec2 = __task_cred(tsk2)->security;  sid2 = __tsec2->sid;
1410         rcu_read_unlock();
1411         return avc_has_perm(sid1, sid2, SECCLASS_PROCESS, perms, NULL);
1412 }
1413
1414 /*
1415  * Check permission between current and another task, e.g. signal checks,
1416  * fork check, ptrace check, etc.
1417  * current is the actor and tsk2 is the target
1418  * - this uses current's subjective creds
1419  */
1420 static int current_has_perm(const struct task_struct *tsk,
1421                             u32 perms)
1422 {
1423         u32 sid, tsid;
1424
1425         sid = current_sid();
1426         tsid = task_sid(tsk);
1427         return avc_has_perm(sid, tsid, SECCLASS_PROCESS, perms, NULL);
1428 }
1429
1430 #if CAP_LAST_CAP > 63
1431 #error Fix SELinux to handle capabilities > 63.
1432 #endif
1433
1434 /* Check whether a task is allowed to use a capability. */
1435 static int task_has_capability(struct task_struct *tsk,
1436                                const struct cred *cred,
1437                                int cap, int audit)
1438 {
1439         struct avc_audit_data ad;
1440         struct av_decision avd;
1441         u16 sclass;
1442         u32 sid = cred_sid(cred);
1443         u32 av = CAP_TO_MASK(cap);
1444         int rc;
1445
1446         AVC_AUDIT_DATA_INIT(&ad, CAP);
1447         ad.tsk = tsk;
1448         ad.u.cap = cap;
1449
1450         switch (CAP_TO_INDEX(cap)) {
1451         case 0:
1452                 sclass = SECCLASS_CAPABILITY;
1453                 break;
1454         case 1:
1455                 sclass = SECCLASS_CAPABILITY2;
1456                 break;
1457         default:
1458                 printk(KERN_ERR
1459                        "SELinux:  out of range capability %d\n", cap);
1460                 BUG();
1461         }
1462
1463         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
1464         if (audit == SECURITY_CAP_AUDIT)
1465                 avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
1466         return rc;
1467 }
1468
1469 /* Check whether a task is allowed to use a system operation. */
1470 static int task_has_system(struct task_struct *tsk,
1471                            u32 perms)
1472 {
1473         u32 sid = task_sid(tsk);
1474
1475         return avc_has_perm(sid, SECINITSID_KERNEL,
1476                             SECCLASS_SYSTEM, perms, NULL);
1477 }
1478
1479 /* Check whether a task has a particular permission to an inode.
1480    The 'adp' parameter is optional and allows other audit
1481    data to be passed (e.g. the dentry). */
1482 static int inode_has_perm(const struct cred *cred,
1483                           struct inode *inode,
1484                           u32 perms,
1485                           struct avc_audit_data *adp)
1486 {
1487         struct inode_security_struct *isec;
1488         struct avc_audit_data ad;
1489         u32 sid;
1490
1491         if (unlikely(IS_PRIVATE(inode)))
1492                 return 0;
1493
1494         sid = cred_sid(cred);
1495         isec = inode->i_security;
1496
1497         if (!adp) {
1498                 adp = &ad;
1499                 AVC_AUDIT_DATA_INIT(&ad, FS);
1500                 ad.u.fs.inode = inode;
1501         }
1502
1503         return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
1504 }
1505
1506 /* Same as inode_has_perm, but pass explicit audit data containing
1507    the dentry to help the auditing code to more easily generate the
1508    pathname if needed. */
1509 static inline int dentry_has_perm(const struct cred *cred,
1510                                   struct vfsmount *mnt,
1511                                   struct dentry *dentry,
1512                                   u32 av)
1513 {
1514         struct inode *inode = dentry->d_inode;
1515         struct avc_audit_data ad;
1516
1517         AVC_AUDIT_DATA_INIT(&ad, FS);
1518         ad.u.fs.path.mnt = mnt;
1519         ad.u.fs.path.dentry = dentry;
1520         return inode_has_perm(cred, inode, av, &ad);
1521 }
1522
1523 /* Check whether a task can use an open file descriptor to
1524    access an inode in a given way.  Check access to the
1525    descriptor itself, and then use dentry_has_perm to
1526    check a particular permission to the file.
1527    Access to the descriptor is implicitly granted if it
1528    has the same SID as the process.  If av is zero, then
1529    access to the file is not checked, e.g. for cases
1530    where only the descriptor is affected like seek. */
1531 static int file_has_perm(const struct cred *cred,
1532                          struct file *file,
1533                          u32 av)
1534 {
1535         struct file_security_struct *fsec = file->f_security;
1536         struct inode *inode = file->f_path.dentry->d_inode;
1537         struct avc_audit_data ad;
1538         u32 sid = cred_sid(cred);
1539         int rc;
1540
1541         AVC_AUDIT_DATA_INIT(&ad, FS);
1542         ad.u.fs.path = file->f_path;
1543
1544         if (sid != fsec->sid) {
1545                 rc = avc_has_perm(sid, fsec->sid,
1546                                   SECCLASS_FD,
1547                                   FD__USE,
1548                                   &ad);
1549                 if (rc)
1550                         goto out;
1551         }
1552
1553         /* av is zero if only checking access to the descriptor. */
1554         rc = 0;
1555         if (av)
1556                 rc = inode_has_perm(cred, inode, av, &ad);
1557
1558 out:
1559         return rc;
1560 }
1561
1562 /* Check whether a task can create a file. */
1563 static int may_create(struct inode *dir,
1564                       struct dentry *dentry,
1565                       u16 tclass)
1566 {
1567         const struct cred *cred = current_cred();
1568         const struct task_security_struct *tsec = cred->security;
1569         struct inode_security_struct *dsec;
1570         struct superblock_security_struct *sbsec;
1571         u32 sid, newsid;
1572         struct avc_audit_data ad;
1573         int rc;
1574
1575         dsec = dir->i_security;
1576         sbsec = dir->i_sb->s_security;
1577
1578         sid = tsec->sid;
1579         newsid = tsec->create_sid;
1580
1581         AVC_AUDIT_DATA_INIT(&ad, FS);
1582         ad.u.fs.path.dentry = dentry;
1583
1584         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR,
1585                           DIR__ADD_NAME | DIR__SEARCH,
1586                           &ad);
1587         if (rc)
1588                 return rc;
1589
1590         if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
1591                 rc = security_transition_sid(sid, dsec->sid, tclass, &newsid);
1592                 if (rc)
1593                         return rc;
1594         }
1595
1596         rc = avc_has_perm(sid, newsid, tclass, FILE__CREATE, &ad);
1597         if (rc)
1598                 return rc;
1599
1600         return avc_has_perm(newsid, sbsec->sid,
1601                             SECCLASS_FILESYSTEM,
1602                             FILESYSTEM__ASSOCIATE, &ad);
1603 }
1604
1605 /* Check whether a task can create a key. */
1606 static int may_create_key(u32 ksid,
1607                           struct task_struct *ctx)
1608 {
1609         u32 sid = task_sid(ctx);
1610
1611         return avc_has_perm(sid, ksid, SECCLASS_KEY, KEY__CREATE, NULL);
1612 }
1613
1614 #define MAY_LINK        0
1615 #define MAY_UNLINK      1
1616 #define MAY_RMDIR       2
1617
1618 /* Check whether a task can link, unlink, or rmdir a file/directory. */
1619 static int may_link(struct inode *dir,
1620                     struct dentry *dentry,
1621                     int kind)
1622
1623 {
1624         struct inode_security_struct *dsec, *isec;
1625         struct avc_audit_data ad;
1626         u32 sid = current_sid();
1627         u32 av;
1628         int rc;
1629
1630         dsec = dir->i_security;
1631         isec = dentry->d_inode->i_security;
1632
1633         AVC_AUDIT_DATA_INIT(&ad, FS);
1634         ad.u.fs.path.dentry = dentry;
1635
1636         av = DIR__SEARCH;
1637         av |= (kind ? DIR__REMOVE_NAME : DIR__ADD_NAME);
1638         rc = avc_has_perm(sid, dsec->sid, SECCLASS_DIR, av, &ad);
1639         if (rc)
1640                 return rc;
1641
1642         switch (kind) {
1643         case MAY_LINK:
1644                 av = FILE__LINK;
1645                 break;
1646         case MAY_UNLINK:
1647                 av = FILE__UNLINK;
1648                 break;
1649         case MAY_RMDIR:
1650                 av = DIR__RMDIR;
1651                 break;
1652         default:
1653                 printk(KERN_WARNING "SELinux: %s:  unrecognized kind %d\n",
1654                         __func__, kind);
1655                 return 0;
1656         }
1657
1658         rc = avc_has_perm(sid, isec->sid, isec->sclass, av, &ad);
1659         return rc;
1660 }
1661
1662 static inline int may_rename(struct inode *old_dir,
1663                              struct dentry *old_dentry,
1664                              struct inode *new_dir,
1665                              struct dentry *new_dentry)
1666 {
1667         struct inode_security_struct *old_dsec, *new_dsec, *old_isec, *new_isec;
1668         struct avc_audit_data ad;
1669         u32 sid = current_sid();
1670         u32 av;
1671         int old_is_dir, new_is_dir;
1672         int rc;
1673
1674         old_dsec = old_dir->i_security;
1675         old_isec = old_dentry->d_inode->i_security;
1676         old_is_dir = S_ISDIR(old_dentry->d_inode->i_mode);
1677         new_dsec = new_dir->i_security;
1678
1679         AVC_AUDIT_DATA_INIT(&ad, FS);
1680
1681         ad.u.fs.path.dentry = old_dentry;
1682         rc = avc_has_perm(sid, old_dsec->sid, SECCLASS_DIR,
1683                           DIR__REMOVE_NAME | DIR__SEARCH, &ad);
1684         if (rc)
1685                 return rc;
1686         rc = avc_has_perm(sid, old_isec->sid,
1687                           old_isec->sclass, FILE__RENAME, &ad);
1688         if (rc)
1689                 return rc;
1690         if (old_is_dir && new_dir != old_dir) {
1691                 rc = avc_has_perm(sid, old_isec->sid,
1692                                   old_isec->sclass, DIR__REPARENT, &ad);
1693                 if (rc)
1694                         return rc;
1695         }
1696
1697         ad.u.fs.path.dentry = new_dentry;
1698         av = DIR__ADD_NAME | DIR__SEARCH;
1699         if (new_dentry->d_inode)
1700                 av |= DIR__REMOVE_NAME;
1701         rc = avc_has_perm(sid, new_dsec->sid, SECCLASS_DIR, av, &ad);
1702         if (rc)
1703                 return rc;
1704         if (new_dentry->d_inode) {
1705                 new_isec = new_dentry->d_inode->i_security;
1706                 new_is_dir = S_ISDIR(new_dentry->d_inode->i_mode);
1707                 rc = avc_has_perm(sid, new_isec->sid,
1708                                   new_isec->sclass,
1709                                   (new_is_dir ? DIR__RMDIR : FILE__UNLINK), &ad);
1710                 if (rc)
1711                         return rc;
1712         }
1713
1714         return 0;
1715 }
1716
1717 /* Check whether a task can perform a filesystem operation. */
1718 static int superblock_has_perm(const struct cred *cred,
1719                                struct super_block *sb,
1720                                u32 perms,
1721                                struct avc_audit_data *ad)
1722 {
1723         struct superblock_security_struct *sbsec;
1724         u32 sid = cred_sid(cred);
1725
1726         sbsec = sb->s_security;
1727         return avc_has_perm(sid, sbsec->sid, SECCLASS_FILESYSTEM, perms, ad);
1728 }
1729
1730 /* Convert a Linux mode and permission mask to an access vector. */
1731 static inline u32 file_mask_to_av(int mode, int mask)
1732 {
1733         u32 av = 0;
1734
1735         if ((mode & S_IFMT) != S_IFDIR) {
1736                 if (mask & MAY_EXEC)
1737                         av |= FILE__EXECUTE;
1738                 if (mask & MAY_READ)
1739                         av |= FILE__READ;
1740
1741                 if (mask & MAY_APPEND)
1742                         av |= FILE__APPEND;
1743                 else if (mask & MAY_WRITE)
1744                         av |= FILE__WRITE;
1745
1746         } else {
1747                 if (mask & MAY_EXEC)
1748                         av |= DIR__SEARCH;
1749                 if (mask & MAY_WRITE)
1750                         av |= DIR__WRITE;
1751                 if (mask & MAY_READ)
1752                         av |= DIR__READ;
1753         }
1754
1755         return av;
1756 }
1757
1758 /* Convert a Linux file to an access vector. */
1759 static inline u32 file_to_av(struct file *file)
1760 {
1761         u32 av = 0;
1762
1763         if (file->f_mode & FMODE_READ)
1764                 av |= FILE__READ;
1765         if (file->f_mode & FMODE_WRITE) {
1766                 if (file->f_flags & O_APPEND)
1767                         av |= FILE__APPEND;
1768                 else
1769                         av |= FILE__WRITE;
1770         }
1771         if (!av) {
1772                 /*
1773                  * Special file opened with flags 3 for ioctl-only use.
1774                  */
1775                 av = FILE__IOCTL;
1776         }
1777
1778         return av;
1779 }
1780
1781 /*
1782  * Convert a file to an access vector and include the correct open
1783  * open permission.
1784  */
1785 static inline u32 open_file_to_av(struct file *file)
1786 {
1787         u32 av = file_to_av(file);
1788
1789         if (selinux_policycap_openperm) {
1790                 mode_t mode = file->f_path.dentry->d_inode->i_mode;
1791                 /*
1792                  * lnk files and socks do not really have an 'open'
1793                  */
1794                 if (S_ISREG(mode))
1795                         av |= FILE__OPEN;
1796                 else if (S_ISCHR(mode))
1797                         av |= CHR_FILE__OPEN;
1798                 else if (S_ISBLK(mode))
1799                         av |= BLK_FILE__OPEN;
1800                 else if (S_ISFIFO(mode))
1801                         av |= FIFO_FILE__OPEN;
1802                 else if (S_ISDIR(mode))
1803                         av |= DIR__OPEN;
1804                 else
1805                         printk(KERN_ERR "SELinux: WARNING: inside %s with "
1806                                 "unknown mode:%o\n", __func__, mode);
1807         }
1808         return av;
1809 }
1810
1811 /* Hook functions begin here. */
1812
1813 static int selinux_ptrace_may_access(struct task_struct *child,
1814                                      unsigned int mode)
1815 {
1816         int rc;
1817
1818         rc = secondary_ops->ptrace_may_access(child, mode);
1819         if (rc)
1820                 return rc;
1821
1822         if (mode == PTRACE_MODE_READ) {
1823                 u32 sid = current_sid();
1824                 u32 csid = task_sid(child);
1825                 return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL);
1826         }
1827
1828         return current_has_perm(child, PROCESS__PTRACE);
1829 }
1830
1831 static int selinux_ptrace_traceme(struct task_struct *parent)
1832 {
1833         int rc;
1834
1835         rc = secondary_ops->ptrace_traceme(parent);
1836         if (rc)
1837                 return rc;
1838
1839         return task_has_perm(parent, current, PROCESS__PTRACE);
1840 }
1841
1842 static int selinux_capget(struct task_struct *target, kernel_cap_t *effective,
1843                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
1844 {
1845         int error;
1846
1847         error = current_has_perm(target, PROCESS__GETCAP);
1848         if (error)
1849                 return error;
1850
1851         return secondary_ops->capget(target, effective, inheritable, permitted);
1852 }
1853
1854 static int selinux_capset(struct cred *new, const struct cred *old,
1855                           const kernel_cap_t *effective,
1856                           const kernel_cap_t *inheritable,
1857                           const kernel_cap_t *permitted)
1858 {
1859         int error;
1860
1861         error = secondary_ops->capset(new, old,
1862                                       effective, inheritable, permitted);
1863         if (error)
1864                 return error;
1865
1866         return cred_has_perm(old, new, PROCESS__SETCAP);
1867 }
1868
1869 static int selinux_capable(int cap, int audit)
1870 {
1871         int rc;
1872
1873         rc = secondary_ops->capable(cap, audit);
1874         if (rc)
1875                 return rc;
1876
1877         return task_has_capability(current, current_cred(), cap, audit);
1878 }
1879
1880 static int selinux_task_capable(struct task_struct *tsk,
1881                                 const struct cred *cred, int cap, int audit)
1882 {
1883         int rc;
1884
1885         rc = secondary_ops->task_capable(tsk, cred, cap, audit);
1886         if (rc)
1887                 return rc;
1888
1889         return task_has_capability(tsk, cred, cap, audit);
1890 }
1891
1892 static int selinux_sysctl_get_sid(ctl_table *table, u16 tclass, u32 *sid)
1893 {
1894         int buflen, rc;
1895         char *buffer, *path, *end;
1896
1897         rc = -ENOMEM;
1898         buffer = (char *)__get_free_page(GFP_KERNEL);
1899         if (!buffer)
1900                 goto out;
1901
1902         buflen = PAGE_SIZE;
1903         end = buffer+buflen;
1904         *--end = '\0';
1905         buflen--;
1906         path = end-1;
1907         *path = '/';
1908         while (table) {
1909                 const char *name = table->procname;
1910                 size_t namelen = strlen(name);
1911                 buflen -= namelen + 1;
1912                 if (buflen < 0)
1913                         goto out_free;
1914                 end -= namelen;
1915                 memcpy(end, name, namelen);
1916                 *--end = '/';
1917                 path = end;
1918                 table = table->parent;
1919         }
1920         buflen -= 4;
1921         if (buflen < 0)
1922                 goto out_free;
1923         end -= 4;
1924         memcpy(end, "/sys", 4);
1925         path = end;
1926         rc = security_genfs_sid("proc", path, tclass, sid);
1927 out_free:
1928         free_page((unsigned long)buffer);
1929 out:
1930         return rc;
1931 }
1932
1933 static int selinux_sysctl(ctl_table *table, int op)
1934 {
1935         int error = 0;
1936         u32 av;
1937         u32 tsid, sid;
1938         int rc;
1939
1940         rc = secondary_ops->sysctl(table, op);
1941         if (rc)
1942                 return rc;
1943
1944         sid = current_sid();
1945
1946         rc = selinux_sysctl_get_sid(table, (op == 0001) ?
1947                                     SECCLASS_DIR : SECCLASS_FILE, &tsid);
1948         if (rc) {
1949                 /* Default to the well-defined sysctl SID. */
1950                 tsid = SECINITSID_SYSCTL;
1951         }
1952
1953         /* The op values are "defined" in sysctl.c, thereby creating
1954          * a bad coupling between this module and sysctl.c */
1955         if (op == 001) {
1956                 error = avc_has_perm(sid, tsid,
1957                                      SECCLASS_DIR, DIR__SEARCH, NULL);
1958         } else {
1959                 av = 0;
1960                 if (op & 004)
1961                         av |= FILE__READ;
1962                 if (op & 002)
1963                         av |= FILE__WRITE;
1964                 if (av)
1965                         error = avc_has_perm(sid, tsid,
1966                                              SECCLASS_FILE, av, NULL);
1967         }
1968
1969         return error;
1970 }
1971
1972 static int selinux_quotactl(int cmds, int type, int id, struct super_block *sb)
1973 {
1974         const struct cred *cred = current_cred();
1975         int rc = 0;
1976
1977         if (!sb)
1978                 return 0;
1979
1980         switch (cmds) {
1981         case Q_SYNC:
1982         case Q_QUOTAON:
1983         case Q_QUOTAOFF:
1984         case Q_SETINFO:
1985         case Q_SETQUOTA:
1986                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAMOD, NULL);
1987                 break;
1988         case Q_GETFMT:
1989         case Q_GETINFO:
1990         case Q_GETQUOTA:
1991                 rc = superblock_has_perm(cred, sb, FILESYSTEM__QUOTAGET, NULL);
1992                 break;
1993         default:
1994                 rc = 0;  /* let the kernel handle invalid cmds */
1995                 break;
1996         }
1997         return rc;
1998 }
1999
2000 static int selinux_quota_on(struct dentry *dentry)
2001 {
2002         const struct cred *cred = current_cred();
2003
2004         return dentry_has_perm(cred, NULL, dentry, FILE__QUOTAON);
2005 }
2006
2007 static int selinux_syslog(int type)
2008 {
2009         int rc;
2010
2011         rc = secondary_ops->syslog(type);
2012         if (rc)
2013                 return rc;
2014
2015         switch (type) {
2016         case 3:         /* Read last kernel messages */
2017         case 10:        /* Return size of the log buffer */
2018                 rc = task_has_system(current, SYSTEM__SYSLOG_READ);
2019                 break;
2020         case 6:         /* Disable logging to console */
2021         case 7:         /* Enable logging to console */
2022         case 8:         /* Set level of messages printed to console */
2023                 rc = task_has_system(current, SYSTEM__SYSLOG_CONSOLE);
2024                 break;
2025         case 0:         /* Close log */
2026         case 1:         /* Open log */
2027         case 2:         /* Read from log */
2028         case 4:         /* Read/clear last kernel messages */
2029         case 5:         /* Clear ring buffer */
2030         default:
2031                 rc = task_has_system(current, SYSTEM__SYSLOG_MOD);
2032                 break;
2033         }
2034         return rc;
2035 }
2036
2037 /*
2038  * Check that a process has enough memory to allocate a new virtual
2039  * mapping. 0 means there is enough memory for the allocation to
2040  * succeed and -ENOMEM implies there is not.
2041  *
2042  * Note that secondary_ops->capable and task_has_perm_noaudit return 0
2043  * if the capability is granted, but __vm_enough_memory requires 1 if
2044  * the capability is granted.
2045  *
2046  * Do not audit the selinux permission check, as this is applied to all
2047  * processes that allocate mappings.
2048  */
2049 static int selinux_vm_enough_memory(struct mm_struct *mm, long pages)
2050 {
2051         int rc, cap_sys_admin = 0;
2052
2053         rc = selinux_capable(CAP_SYS_ADMIN, SECURITY_CAP_NOAUDIT);
2054         if (rc == 0)
2055                 cap_sys_admin = 1;
2056
2057         return __vm_enough_memory(mm, pages, cap_sys_admin);
2058 }
2059
2060 /* binprm security operations */
2061
2062 static int selinux_bprm_set_creds(struct linux_binprm *bprm)
2063 {
2064         const struct task_security_struct *old_tsec;
2065         struct task_security_struct *new_tsec;
2066         struct inode_security_struct *isec;
2067         struct avc_audit_data ad;
2068         struct inode *inode = bprm->file->f_path.dentry->d_inode;
2069         int rc;
2070
2071         rc = secondary_ops->bprm_set_creds(bprm);
2072         if (rc)
2073                 return rc;
2074
2075         /* SELinux context only depends on initial program or script and not
2076          * the script interpreter */
2077         if (bprm->cred_prepared)
2078                 return 0;
2079
2080         old_tsec = current_security();
2081         new_tsec = bprm->cred->security;
2082         isec = inode->i_security;
2083
2084         /* Default to the current task SID. */
2085         new_tsec->sid = old_tsec->sid;
2086         new_tsec->osid = old_tsec->sid;
2087
2088         /* Reset fs, key, and sock SIDs on execve. */
2089         new_tsec->create_sid = 0;
2090         new_tsec->keycreate_sid = 0;
2091         new_tsec->sockcreate_sid = 0;
2092
2093         if (old_tsec->exec_sid) {
2094                 new_tsec->sid = old_tsec->exec_sid;
2095                 /* Reset exec SID on execve. */
2096                 new_tsec->exec_sid = 0;
2097         } else {
2098                 /* Check for a default transition on this program. */
2099                 rc = security_transition_sid(old_tsec->sid, isec->sid,
2100                                              SECCLASS_PROCESS, &new_tsec->sid);
2101                 if (rc)
2102                         return rc;
2103         }
2104
2105         AVC_AUDIT_DATA_INIT(&ad, FS);
2106         ad.u.fs.path = bprm->file->f_path;
2107
2108         if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
2109                 new_tsec->sid = old_tsec->sid;
2110
2111         if (new_tsec->sid == old_tsec->sid) {
2112                 rc = avc_has_perm(old_tsec->sid, isec->sid,
2113                                   SECCLASS_FILE, FILE__EXECUTE_NO_TRANS, &ad);
2114                 if (rc)
2115                         return rc;
2116         } else {
2117                 /* Check permissions for the transition. */
2118                 rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2119                                   SECCLASS_PROCESS, PROCESS__TRANSITION, &ad);
2120                 if (rc)
2121                         return rc;
2122
2123                 rc = avc_has_perm(new_tsec->sid, isec->sid,
2124                                   SECCLASS_FILE, FILE__ENTRYPOINT, &ad);
2125                 if (rc)
2126                         return rc;
2127
2128                 /* Check for shared state */
2129                 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
2130                         rc = avc_has_perm(old_tsec->sid, new_tsec->sid,
2131                                           SECCLASS_PROCESS, PROCESS__SHARE,
2132                                           NULL);
2133                         if (rc)
2134                                 return -EPERM;
2135                 }
2136
2137                 /* Make sure that anyone attempting to ptrace over a task that
2138                  * changes its SID has the appropriate permit */
2139                 if (bprm->unsafe &
2140                     (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
2141                         struct task_struct *tracer;
2142                         struct task_security_struct *sec;
2143                         u32 ptsid = 0;
2144
2145                         rcu_read_lock();
2146                         tracer = tracehook_tracer_task(current);
2147                         if (likely(tracer != NULL)) {
2148                                 sec = __task_cred(tracer)->security;
2149                                 ptsid = sec->sid;
2150                         }
2151                         rcu_read_unlock();
2152
2153                         if (ptsid != 0) {
2154                                 rc = avc_has_perm(ptsid, new_tsec->sid,
2155                                                   SECCLASS_PROCESS,
2156                                                   PROCESS__PTRACE, NULL);
2157                                 if (rc)
2158                                         return -EPERM;
2159                         }
2160                 }
2161
2162                 /* Clear any possibly unsafe personality bits on exec: */
2163                 bprm->per_clear |= PER_CLEAR_ON_SETID;
2164         }
2165
2166         return 0;
2167 }
2168
2169 static int selinux_bprm_check_security(struct linux_binprm *bprm)
2170 {
2171         return secondary_ops->bprm_check_security(bprm);
2172 }
2173
2174 static int selinux_bprm_secureexec(struct linux_binprm *bprm)
2175 {
2176         const struct cred *cred = current_cred();
2177         const struct task_security_struct *tsec = cred->security;
2178         u32 sid, osid;
2179         int atsecure = 0;
2180
2181         sid = tsec->sid;
2182         osid = tsec->osid;
2183
2184         if (osid != sid) {
2185                 /* Enable secure mode for SIDs transitions unless
2186                    the noatsecure permission is granted between
2187                    the two SIDs, i.e. ahp returns 0. */
2188                 atsecure = avc_has_perm(osid, sid,
2189                                         SECCLASS_PROCESS,
2190                                         PROCESS__NOATSECURE, NULL);
2191         }
2192
2193         return (atsecure || secondary_ops->bprm_secureexec(bprm));
2194 }
2195
2196 extern struct vfsmount *selinuxfs_mount;
2197 extern struct dentry *selinux_null;
2198
2199 /* Derived from fs/exec.c:flush_old_files. */
2200 static inline void flush_unauthorized_files(const struct cred *cred,
2201                                             struct files_struct *files)
2202 {
2203         struct avc_audit_data ad;
2204         struct file *file, *devnull = NULL;
2205         struct tty_struct *tty;
2206         struct fdtable *fdt;
2207         long j = -1;
2208         int drop_tty = 0;
2209
2210         tty = get_current_tty();
2211         if (tty) {
2212                 file_list_lock();
2213                 if (!list_empty(&tty->tty_files)) {
2214                         struct inode *inode;
2215
2216                         /* Revalidate access to controlling tty.
2217                            Use inode_has_perm on the tty inode directly rather
2218                            than using file_has_perm, as this particular open
2219                            file may belong to another process and we are only
2220                            interested in the inode-based check here. */
2221                         file = list_first_entry(&tty->tty_files, struct file, f_u.fu_list);
2222                         inode = file->f_path.dentry->d_inode;
2223                         if (inode_has_perm(cred, inode,
2224                                            FILE__READ | FILE__WRITE, NULL)) {
2225                                 drop_tty = 1;
2226                         }
2227                 }
2228                 file_list_unlock();
2229                 tty_kref_put(tty);
2230         }
2231         /* Reset controlling tty. */
2232         if (drop_tty)
2233                 no_tty();
2234
2235         /* Revalidate access to inherited open files. */
2236
2237         AVC_AUDIT_DATA_INIT(&ad, FS);
2238
2239         spin_lock(&files->file_lock);
2240         for (;;) {
2241                 unsigned long set, i;
2242                 int fd;
2243
2244                 j++;
2245                 i = j * __NFDBITS;
2246                 fdt = files_fdtable(files);
2247                 if (i >= fdt->max_fds)
2248                         break;
2249                 set = fdt->open_fds->fds_bits[j];
2250                 if (!set)
2251                         continue;
2252                 spin_unlock(&files->file_lock);
2253                 for ( ; set ; i++, set >>= 1) {
2254                         if (set & 1) {
2255                                 file = fget(i);
2256                                 if (!file)
2257                                         continue;
2258                                 if (file_has_perm(cred,
2259                                                   file,
2260                                                   file_to_av(file))) {
2261                                         sys_close(i);
2262                                         fd = get_unused_fd();
2263                                         if (fd != i) {
2264                                                 if (fd >= 0)
2265                                                         put_unused_fd(fd);
2266                                                 fput(file);
2267                                                 continue;
2268                                         }
2269                                         if (devnull) {
2270                                                 get_file(devnull);
2271                                         } else {
2272                                                 devnull = dentry_open(
2273                                                         dget(selinux_null),
2274                                                         mntget(selinuxfs_mount),
2275                                                         O_RDWR, cred);
2276                                                 if (IS_ERR(devnull)) {
2277                                                         devnull = NULL;
2278                                                         put_unused_fd(fd);
2279                                                         fput(file);
2280                                                         continue;
2281                                                 }
2282                                         }
2283                                         fd_install(fd, devnull);
2284                                 }
2285                                 fput(file);
2286                         }
2287                 }
2288                 spin_lock(&files->file_lock);
2289
2290         }
2291         spin_unlock(&files->file_lock);
2292 }
2293
2294 /*
2295  * Prepare a process for imminent new credential changes due to exec
2296  */
2297 static void selinux_bprm_committing_creds(struct linux_binprm *bprm)
2298 {
2299         struct task_security_struct *new_tsec;
2300         struct rlimit *rlim, *initrlim;
2301         int rc, i;
2302
2303         secondary_ops->bprm_committing_creds(bprm);
2304
2305         new_tsec = bprm->cred->security;
2306         if (new_tsec->sid == new_tsec->osid)
2307                 return;
2308
2309         /* Close files for which the new task SID is not authorized. */
2310         flush_unauthorized_files(bprm->cred, current->files);
2311
2312         /* Always clear parent death signal on SID transitions. */
2313         current->pdeath_signal = 0;
2314
2315         /* Check whether the new SID can inherit resource limits from the old
2316          * SID.  If not, reset all soft limits to the lower of the current
2317          * task's hard limit and the init task's soft limit.
2318          *
2319          * Note that the setting of hard limits (even to lower them) can be
2320          * controlled by the setrlimit check.  The inclusion of the init task's
2321          * soft limit into the computation is to avoid resetting soft limits
2322          * higher than the default soft limit for cases where the default is
2323          * lower than the hard limit, e.g. RLIMIT_CORE or RLIMIT_STACK.
2324          */
2325         rc = avc_has_perm(new_tsec->osid, new_tsec->sid, SECCLASS_PROCESS,
2326                           PROCESS__RLIMITINH, NULL);
2327         if (rc) {
2328                 for (i = 0; i < RLIM_NLIMITS; i++) {
2329                         rlim = current->signal->rlim + i;
2330                         initrlim = init_task.signal->rlim + i;
2331                         rlim->rlim_cur = min(rlim->rlim_max, initrlim->rlim_cur);
2332                 }
2333                 update_rlimit_cpu(rlim->rlim_cur);
2334         }
2335 }
2336
2337 /*
2338  * Clean up the process immediately after the installation of new credentials
2339  * due to exec
2340  */
2341 static void selinux_bprm_committed_creds(struct linux_binprm *bprm)
2342 {
2343         const struct task_security_struct *tsec = current_security();
2344         struct itimerval itimer;
2345         struct sighand_struct *psig;
2346         u32 osid, sid;
2347         int rc, i;
2348         unsigned long flags;
2349
2350         secondary_ops->bprm_committed_creds(bprm);
2351
2352         osid = tsec->osid;
2353         sid = tsec->sid;
2354
2355         if (sid == osid)
2356                 return;
2357
2358         /* Check whether the new SID can inherit signal state from the old SID.
2359          * If not, clear itimers to avoid subsequent signal generation and
2360          * flush and unblock signals.
2361          *
2362          * This must occur _after_ the task SID has been updated so that any
2363          * kill done after the flush will be checked against the new SID.
2364          */
2365         rc = avc_has_perm(osid, sid, SECCLASS_PROCESS, PROCESS__SIGINH, NULL);
2366         if (rc) {
2367                 memset(&itimer, 0, sizeof itimer);
2368                 for (i = 0; i < 3; i++)
2369                         do_setitimer(i, &itimer, NULL);
2370                 flush_signals(current);
2371                 spin_lock_irq(&current->sighand->siglock);
2372                 flush_signal_handlers(current, 1);
2373                 sigemptyset(&current->blocked);
2374                 recalc_sigpending();
2375                 spin_unlock_irq(&current->sighand->siglock);
2376         }
2377
2378         /* Wake up the parent if it is waiting so that it can recheck
2379          * wait permission to the new task SID. */
2380         read_lock_irq(&tasklist_lock);
2381         psig = current->parent->sighand;
2382         spin_lock_irqsave(&psig->siglock, flags);
2383         wake_up_interruptible(&current->parent->signal->wait_chldexit);
2384         spin_unlock_irqrestore(&psig->siglock, flags);
2385         read_unlock_irq(&tasklist_lock);
2386 }
2387
2388 /* superblock security operations */
2389
2390 static int selinux_sb_alloc_security(struct super_block *sb)
2391 {
2392         return superblock_alloc_security(sb);
2393 }
2394
2395 static void selinux_sb_free_security(struct super_block *sb)
2396 {
2397         superblock_free_security(sb);
2398 }
2399
2400 static inline int match_prefix(char *prefix, int plen, char *option, int olen)
2401 {
2402         if (plen > olen)
2403                 return 0;
2404
2405         return !memcmp(prefix, option, plen);
2406 }
2407
2408 static inline int selinux_option(char *option, int len)
2409 {
2410         return (match_prefix(CONTEXT_STR, sizeof(CONTEXT_STR)-1, option, len) ||
2411                 match_prefix(FSCONTEXT_STR, sizeof(FSCONTEXT_STR)-1, option, len) ||
2412                 match_prefix(DEFCONTEXT_STR, sizeof(DEFCONTEXT_STR)-1, option, len) ||
2413                 match_prefix(ROOTCONTEXT_STR, sizeof(ROOTCONTEXT_STR)-1, option, len));
2414 }
2415
2416 static inline void take_option(char **to, char *from, int *first, int len)
2417 {
2418         if (!*first) {
2419                 **to = ',';
2420                 *to += 1;
2421         } else
2422                 *first = 0;
2423         memcpy(*to, from, len);
2424         *to += len;
2425 }
2426
2427 static inline void take_selinux_option(char **to, char *from, int *first,
2428                                        int len)
2429 {
2430         int current_size = 0;
2431
2432         if (!*first) {
2433                 **to = '|';
2434                 *to += 1;
2435         } else
2436                 *first = 0;
2437
2438         while (current_size < len) {
2439                 if (*from != '"') {
2440                         **to = *from;
2441                         *to += 1;
2442                 }
2443                 from += 1;
2444                 current_size += 1;
2445         }
2446 }
2447
2448 static int selinux_sb_copy_data(char *orig, char *copy)
2449 {
2450         int fnosec, fsec, rc = 0;
2451         char *in_save, *in_curr, *in_end;
2452         char *sec_curr, *nosec_save, *nosec;
2453         int open_quote = 0;
2454
2455         in_curr = orig;
2456         sec_curr = copy;
2457
2458         nosec = (char *)get_zeroed_page(GFP_KERNEL);
2459         if (!nosec) {
2460                 rc = -ENOMEM;
2461                 goto out;
2462         }
2463
2464         nosec_save = nosec;
2465         fnosec = fsec = 1;
2466         in_save = in_end = orig;
2467
2468         do {
2469                 if (*in_end == '"')
2470                         open_quote = !open_quote;
2471                 if ((*in_end == ',' && open_quote == 0) ||
2472                                 *in_end == '\0') {
2473                         int len = in_end - in_curr;
2474
2475                         if (selinux_option(in_curr, len))
2476                                 take_selinux_option(&sec_curr, in_curr, &fsec, len);
2477                         else
2478                                 take_option(&nosec, in_curr, &fnosec, len);
2479
2480                         in_curr = in_end + 1;
2481                 }
2482         } while (*in_end++);
2483
2484         strcpy(in_save, nosec_save);
2485         free_page((unsigned long)nosec_save);
2486 out:
2487         return rc;
2488 }
2489
2490 static int selinux_sb_kern_mount(struct super_block *sb, int flags, void *data)
2491 {
2492         const struct cred *cred = current_cred();
2493         struct avc_audit_data ad;
2494         int rc;
2495
2496         rc = superblock_doinit(sb, data);
2497         if (rc)
2498                 return rc;
2499
2500         /* Allow all mounts performed by the kernel */
2501         if (flags & MS_KERNMOUNT)
2502                 return 0;
2503
2504         AVC_AUDIT_DATA_INIT(&ad, FS);
2505         ad.u.fs.path.dentry = sb->s_root;
2506         return superblock_has_perm(cred, sb, FILESYSTEM__MOUNT, &ad);
2507 }
2508
2509 static int selinux_sb_statfs(struct dentry *dentry)
2510 {
2511         const struct cred *cred = current_cred();
2512         struct avc_audit_data ad;
2513
2514         AVC_AUDIT_DATA_INIT(&ad, FS);
2515         ad.u.fs.path.dentry = dentry->d_sb->s_root;
2516         return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad);
2517 }
2518
2519 static int selinux_mount(char *dev_name,
2520                          struct path *path,
2521                          char *type,
2522                          unsigned long flags,
2523                          void *data)
2524 {
2525         const struct cred *cred = current_cred();
2526         int rc;
2527
2528         rc = secondary_ops->sb_mount(dev_name, path, type, flags, data);
2529         if (rc)
2530                 return rc;
2531
2532         if (flags & MS_REMOUNT)
2533                 return superblock_has_perm(cred, path->mnt->mnt_sb,
2534                                            FILESYSTEM__REMOUNT, NULL);
2535         else
2536                 return dentry_has_perm(cred, path->mnt, path->dentry,
2537                                        FILE__MOUNTON);
2538 }
2539
2540 static int selinux_umount(struct vfsmount *mnt, int flags)
2541 {
2542         const struct cred *cred = current_cred();
2543         int rc;
2544
2545         rc = secondary_ops->sb_umount(mnt, flags);
2546         if (rc)
2547                 return rc;
2548
2549         return superblock_has_perm(cred, mnt->mnt_sb,
2550                                    FILESYSTEM__UNMOUNT, NULL);
2551 }
2552
2553 /* inode security operations */
2554
2555 static int selinux_inode_alloc_security(struct inode *inode)
2556 {
2557         return inode_alloc_security(inode);
2558 }
2559
2560 static void selinux_inode_free_security(struct inode *inode)
2561 {
2562         inode_free_security(inode);
2563 }
2564
2565 static int selinux_inode_init_security(struct inode *inode, struct inode *dir,
2566                                        char **name, void **value,
2567                                        size_t *len)
2568 {
2569         const struct cred *cred = current_cred();
2570         const struct task_security_struct *tsec = cred->security;
2571         struct inode_security_struct *dsec;
2572         struct superblock_security_struct *sbsec;
2573         u32 sid, newsid, clen;
2574         int rc;
2575         char *namep = NULL, *context;
2576
2577         dsec = dir->i_security;
2578         sbsec = dir->i_sb->s_security;
2579
2580         sid = tsec->sid;
2581         newsid = tsec->create_sid;
2582
2583         if (!newsid || sbsec->behavior == SECURITY_FS_USE_MNTPOINT) {
2584                 rc = security_transition_sid(sid, dsec->sid,
2585                                              inode_mode_to_security_class(inode->i_mode),
2586                                              &newsid);
2587                 if (rc) {
2588                         printk(KERN_WARNING "%s:  "
2589                                "security_transition_sid failed, rc=%d (dev=%s "
2590                                "ino=%ld)\n",
2591                                __func__,
2592                                -rc, inode->i_sb->s_id, inode->i_ino);
2593                         return rc;
2594                 }
2595         }
2596
2597         /* Possibly defer initialization to selinux_complete_init. */
2598         if (sbsec->initialized) {
2599                 struct inode_security_struct *isec = inode->i_security;
2600                 isec->sclass = inode_mode_to_security_class(inode->i_mode);
2601                 isec->sid = newsid;
2602                 isec->initialized = 1;
2603         }
2604
2605         if (!ss_initialized || sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2606                 return -EOPNOTSUPP;
2607
2608         if (name) {
2609                 namep = kstrdup(XATTR_SELINUX_SUFFIX, GFP_NOFS);
2610                 if (!namep)
2611                         return -ENOMEM;
2612                 *name = namep;
2613         }
2614
2615         if (value && len) {
2616                 rc = security_sid_to_context_force(newsid, &context, &clen);
2617                 if (rc) {
2618                         kfree(namep);
2619                         return rc;
2620                 }
2621                 *value = context;
2622                 *len = clen;
2623         }
2624
2625         return 0;
2626 }
2627
2628 static int selinux_inode_create(struct inode *dir, struct dentry *dentry, int mask)
2629 {
2630         return may_create(dir, dentry, SECCLASS_FILE);
2631 }
2632
2633 static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry)
2634 {
2635         int rc;
2636
2637         rc = secondary_ops->inode_link(old_dentry, dir, new_dentry);
2638         if (rc)
2639                 return rc;
2640         return may_link(dir, old_dentry, MAY_LINK);
2641 }
2642
2643 static int selinux_inode_unlink(struct inode *dir, struct dentry *dentry)
2644 {
2645         int rc;
2646
2647         rc = secondary_ops->inode_unlink(dir, dentry);
2648         if (rc)
2649                 return rc;
2650         return may_link(dir, dentry, MAY_UNLINK);
2651 }
2652
2653 static int selinux_inode_symlink(struct inode *dir, struct dentry *dentry, const char *name)
2654 {
2655         return may_create(dir, dentry, SECCLASS_LNK_FILE);
2656 }
2657
2658 static int selinux_inode_mkdir(struct inode *dir, struct dentry *dentry, int mask)
2659 {
2660         return may_create(dir, dentry, SECCLASS_DIR);
2661 }
2662
2663 static int selinux_inode_rmdir(struct inode *dir, struct dentry *dentry)
2664 {
2665         return may_link(dir, dentry, MAY_RMDIR);
2666 }
2667
2668 static int selinux_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
2669 {
2670         int rc;
2671
2672         rc = secondary_ops->inode_mknod(dir, dentry, mode, dev);
2673         if (rc)
2674                 return rc;
2675
2676         return may_create(dir, dentry, inode_mode_to_security_class(mode));
2677 }
2678
2679 static int selinux_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
2680                                 struct inode *new_inode, struct dentry *new_dentry)
2681 {
2682         return may_rename(old_inode, old_dentry, new_inode, new_dentry);
2683 }
2684
2685 static int selinux_inode_readlink(struct dentry *dentry)
2686 {
2687         const struct cred *cred = current_cred();
2688
2689         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2690 }
2691
2692 static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata)
2693 {
2694         const struct cred *cred = current_cred();
2695         int rc;
2696
2697         rc = secondary_ops->inode_follow_link(dentry, nameidata);
2698         if (rc)
2699                 return rc;
2700         return dentry_has_perm(cred, NULL, dentry, FILE__READ);
2701 }
2702
2703 static int selinux_inode_permission(struct inode *inode, int mask)
2704 {
2705         const struct cred *cred = current_cred();
2706         int rc;
2707
2708         rc = secondary_ops->inode_permission(inode, mask);
2709         if (rc)
2710                 return rc;
2711
2712         if (!mask) {
2713                 /* No permission to check.  Existence test. */
2714                 return 0;
2715         }
2716
2717         return inode_has_perm(cred, inode,
2718                               file_mask_to_av(inode->i_mode, mask), NULL);
2719 }
2720
2721 static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr)
2722 {
2723         const struct cred *cred = current_cred();
2724         int rc;
2725
2726         rc = secondary_ops->inode_setattr(dentry, iattr);
2727         if (rc)
2728                 return rc;
2729
2730         if (iattr->ia_valid & ATTR_FORCE)
2731                 return 0;
2732
2733         if (iattr->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID |
2734                                ATTR_ATIME_SET | ATTR_MTIME_SET))
2735                 return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2736
2737         return dentry_has_perm(cred, NULL, dentry, FILE__WRITE);
2738 }
2739
2740 static int selinux_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
2741 {
2742         const struct cred *cred = current_cred();
2743
2744         return dentry_has_perm(cred, mnt, dentry, FILE__GETATTR);
2745 }
2746
2747 static int selinux_inode_setotherxattr(struct dentry *dentry, const char *name)
2748 {
2749         const struct cred *cred = current_cred();
2750
2751         if (!strncmp(name, XATTR_SECURITY_PREFIX,
2752                      sizeof XATTR_SECURITY_PREFIX - 1)) {
2753                 if (!strcmp(name, XATTR_NAME_CAPS)) {
2754                         if (!capable(CAP_SETFCAP))
2755                                 return -EPERM;
2756                 } else if (!capable(CAP_SYS_ADMIN)) {
2757                         /* A different attribute in the security namespace.
2758                            Restrict to administrator. */
2759                         return -EPERM;
2760                 }
2761         }
2762
2763         /* Not an attribute we recognize, so just check the
2764            ordinary setattr permission. */
2765         return dentry_has_perm(cred, NULL, dentry, FILE__SETATTR);
2766 }
2767
2768 static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
2769                                   const void *value, size_t size, int flags)
2770 {
2771         struct inode *inode = dentry->d_inode;
2772         struct inode_security_struct *isec = inode->i_security;
2773         struct superblock_security_struct *sbsec;
2774         struct avc_audit_data ad;
2775         u32 newsid, sid = current_sid();
2776         int rc = 0;
2777
2778         if (strcmp(name, XATTR_NAME_SELINUX))
2779                 return selinux_inode_setotherxattr(dentry, name);
2780
2781         sbsec = inode->i_sb->s_security;
2782         if (sbsec->behavior == SECURITY_FS_USE_MNTPOINT)
2783                 return -EOPNOTSUPP;
2784
2785         if (!is_owner_or_cap(inode))
2786                 return -EPERM;
2787
2788         AVC_AUDIT_DATA_INIT(&ad, FS);
2789         ad.u.fs.path.dentry = dentry;
2790
2791         rc = avc_has_perm(sid, isec->sid, isec->sclass,
2792                           FILE__RELABELFROM, &ad);
2793         if (rc)
2794                 return rc;
2795
2796         rc = security_context_to_sid(value, size, &newsid);
2797         if (rc == -EINVAL) {
2798                 if (!capable(CAP_MAC_ADMIN))
2799                         return rc;
2800                 rc = security_context_to_sid_force(value, size, &newsid);
2801         }
2802         if (rc)
2803                 return rc;
2804
2805         rc = avc_has_perm(sid, newsid, isec->sclass,
2806                           FILE__RELABELTO, &ad);
2807         if (rc)
2808                 return rc;
2809
2810         rc = security_validate_transition(isec->sid, newsid, sid,
2811                                           isec->sclass);
2812         if (rc)
2813                 return rc;
2814
2815         return avc_has_perm(newsid,
2816                             sbsec->sid,
2817                             SECCLASS_FILESYSTEM,
2818                             FILESYSTEM__ASSOCIATE,
2819                             &ad);
2820 }
2821
2822 static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
2823                                         const void *value, size_t size,
2824                                         int flags)
2825 {
2826         struct inode *inode = dentry->d_inode;
2827         struct inode_security_struct *isec = inode->i_security;
2828         u32 newsid;
2829         int rc;
2830
2831         if (strcmp(name, XATTR_NAME_SELINUX)) {
2832                 /* Not an attribute we recognize, so nothing to do. */
2833                 return;
2834         }
2835
2836         rc = security_context_to_sid_force(value, size, &newsid);
2837         if (rc) {
2838                 printk(KERN_ERR "SELinux:  unable to map context to SID"
2839                        "for (%s, %lu), rc=%d\n",
2840                        inode->i_sb->s_id, inode->i_ino, -rc);
2841                 return;
2842         }
2843
2844         isec->sid = newsid;
2845         return;
2846 }
2847
2848 static int selinux_inode_getxattr(struct dentry *dentry, const char *name)
2849 {
2850         const struct cred *cred = current_cred();
2851
2852         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2853 }
2854
2855 static int selinux_inode_listxattr(struct dentry *dentry)
2856 {
2857         const struct cred *cred = current_cred();
2858
2859         return dentry_has_perm(cred, NULL, dentry, FILE__GETATTR);
2860 }
2861
2862 static int selinux_inode_removexattr(struct dentry *dentry, const char *name)
2863 {
2864         if (strcmp(name, XATTR_NAME_SELINUX))
2865                 return selinux_inode_setotherxattr(dentry, name);
2866
2867         /* No one is allowed to remove a SELinux security label.
2868            You can change the label, but all data must be labeled. */
2869         return -EACCES;
2870 }
2871
2872 /*
2873  * Copy the inode security context value to the user.
2874  *
2875  * Permission check is handled by selinux_inode_getxattr hook.
2876  */
2877 static int selinux_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
2878 {
2879         u32 size;
2880         int error;
2881         char *context = NULL;
2882         struct inode_security_struct *isec = inode->i_security;
2883
2884         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2885                 return -EOPNOTSUPP;
2886
2887         /*
2888          * If the caller has CAP_MAC_ADMIN, then get the raw context
2889          * value even if it is not defined by current policy; otherwise,
2890          * use the in-core value under current policy.
2891          * Use the non-auditing forms of the permission checks since
2892          * getxattr may be called by unprivileged processes commonly
2893          * and lack of permission just means that we fall back to the
2894          * in-core context value, not a denial.
2895          */
2896         error = selinux_capable(CAP_MAC_ADMIN, SECURITY_CAP_NOAUDIT);
2897         if (!error)
2898                 error = security_sid_to_context_force(isec->sid, &context,
2899                                                       &size);
2900         else
2901                 error = security_sid_to_context(isec->sid, &context, &size);
2902         if (error)
2903                 return error;
2904         error = size;
2905         if (alloc) {
2906                 *buffer = context;
2907                 goto out_nofree;
2908         }
2909         kfree(context);
2910 out_nofree:
2911         return error;
2912 }
2913
2914 static int selinux_inode_setsecurity(struct inode *inode, const char *name,
2915                                      const void *value, size_t size, int flags)
2916 {
2917         struct inode_security_struct *isec = inode->i_security;
2918         u32 newsid;
2919         int rc;
2920
2921         if (strcmp(name, XATTR_SELINUX_SUFFIX))
2922                 return -EOPNOTSUPP;
2923
2924         if (!value || !size)
2925                 return -EACCES;
2926
2927         rc = security_context_to_sid((void *)value, size, &newsid);
2928         if (rc)
2929                 return rc;
2930
2931         isec->sid = newsid;
2932         return 0;
2933 }
2934
2935 static int selinux_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
2936 {
2937         const int len = sizeof(XATTR_NAME_SELINUX);
2938         if (buffer && len <= buffer_size)
2939                 memcpy(buffer, XATTR_NAME_SELINUX, len);
2940         return len;
2941 }
2942
2943 static int selinux_inode_need_killpriv(struct dentry *dentry)
2944 {
2945         return secondary_ops->inode_need_killpriv(dentry);
2946 }
2947
2948 static int selinux_inode_killpriv(struct dentry *dentry)
2949 {
2950         return secondary_ops->inode_killpriv(dentry);
2951 }
2952
2953 static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
2954 {
2955         struct inode_security_struct *isec = inode->i_security;
2956         *secid = isec->sid;
2957 }
2958
2959 /* file security operations */
2960
2961 static int selinux_revalidate_file_permission(struct file *file, int mask)
2962 {
2963         const struct cred *cred = current_cred();
2964         int rc;
2965         struct inode *inode = file->f_path.dentry->d_inode;
2966
2967         if (!mask) {
2968                 /* No permission to check.  Existence test. */
2969                 return 0;
2970         }
2971
2972         /* file_mask_to_av won't add FILE__WRITE if MAY_APPEND is set */
2973         if ((file->f_flags & O_APPEND) && (mask & MAY_WRITE))
2974                 mask |= MAY_APPEND;
2975
2976         rc = file_has_perm(cred, file,
2977                            file_mask_to_av(inode->i_mode, mask));
2978         if (rc)
2979                 return rc;
2980
2981         return selinux_netlbl_inode_permission(inode, mask);
2982 }
2983
2984 static int selinux_file_permission(struct file *file, int mask)
2985 {
2986         struct inode *inode = file->f_path.dentry->d_inode;
2987         struct file_security_struct *fsec = file->f_security;
2988         struct inode_security_struct *isec = inode->i_security;
2989         u32 sid = current_sid();
2990
2991         if (!mask) {
2992                 /* No permission to check.  Existence test. */
2993                 return 0;
2994         }
2995
2996         if (sid == fsec->sid && fsec->isid == isec->sid
2997             && fsec->pseqno == avc_policy_seqno())
2998                 return selinux_netlbl_inode_permission(inode, mask);
2999
3000         return selinux_revalidate_file_permission(file, mask);
3001 }
3002
3003 static int selinux_file_alloc_security(struct file *file)
3004 {
3005         return file_alloc_security(file);
3006 }
3007
3008 static void selinux_file_free_security(struct file *file)
3009 {
3010         file_free_security(file);
3011 }
3012
3013 static int selinux_file_ioctl(struct file *file, unsigned int cmd,
3014                               unsigned long arg)
3015 {
3016         const struct cred *cred = current_cred();
3017         u32 av = 0;
3018
3019         if (_IOC_DIR(cmd) & _IOC_WRITE)
3020                 av |= FILE__WRITE;
3021         if (_IOC_DIR(cmd) & _IOC_READ)
3022                 av |= FILE__READ;
3023         if (!av)
3024                 av = FILE__IOCTL;
3025
3026         return file_has_perm(cred, file, av);
3027 }
3028
3029 static int file_map_prot_check(struct file *file, unsigned long prot, int shared)
3030 {
3031         const struct cred *cred = current_cred();
3032         int rc = 0;
3033
3034 #ifndef CONFIG_PPC32
3035         if ((prot & PROT_EXEC) && (!file || (!shared && (prot & PROT_WRITE)))) {
3036                 /*
3037                  * We are making executable an anonymous mapping or a
3038                  * private file mapping that will also be writable.
3039                  * This has an additional check.
3040                  */
3041                 rc = cred_has_perm(cred, cred, PROCESS__EXECMEM);
3042                 if (rc)
3043                         goto error;
3044         }
3045 #endif
3046
3047         if (file) {
3048                 /* read access is always possible with a mapping */
3049                 u32 av = FILE__READ;
3050
3051                 /* write access only matters if the mapping is shared */
3052                 if (shared && (prot & PROT_WRITE))
3053                         av |= FILE__WRITE;
3054
3055                 if (prot & PROT_EXEC)
3056                         av |= FILE__EXECUTE;
3057
3058                 return file_has_perm(cred, file, av);
3059         }
3060
3061 error:
3062         return rc;
3063 }
3064
3065 static int selinux_file_mmap(struct file *file, unsigned long reqprot,
3066                              unsigned long prot, unsigned long flags,
3067                              unsigned long addr, unsigned long addr_only)
3068 {
3069         int rc = 0;
3070         u32 sid = current_sid();
3071
3072         if (addr < mmap_min_addr)
3073                 rc = avc_has_perm(sid, sid, SECCLASS_MEMPROTECT,
3074                                   MEMPROTECT__MMAP_ZERO, NULL);
3075         if (rc || addr_only)
3076                 return rc;
3077
3078         if (selinux_checkreqprot)
3079                 prot = reqprot;
3080
3081         return file_map_prot_check(file, prot,
3082                                    (flags & MAP_TYPE) == MAP_SHARED);
3083 }
3084
3085 static int selinux_file_mprotect(struct vm_area_struct *vma,
3086                                  unsigned long reqprot,
3087                                  unsigned long prot)
3088 {
3089         const struct cred *cred = current_cred();
3090         int rc;
3091
3092         rc = secondary_ops->file_mprotect(vma, reqprot, prot);
3093         if (rc)
3094                 return rc;
3095
3096         if (selinux_checkreqprot)
3097                 prot = reqprot;
3098
3099 #ifndef CONFIG_PPC32
3100         if ((prot & PROT_EXEC) && !(vma->vm_flags & VM_EXEC)) {
3101                 rc = 0;
3102                 if (vma->vm_start >= vma->vm_mm->start_brk &&
3103                     vma->vm_end <= vma->vm_mm->brk) {
3104                         rc = cred_has_perm(cred, cred, PROCESS__EXECHEAP);
3105                 } else if (!vma->vm_file &&
3106                            vma->vm_start <= vma->vm_mm->start_stack &&
3107                            vma->vm_end >= vma->vm_mm->start_stack) {
3108                         rc = current_has_perm(current, PROCESS__EXECSTACK);
3109                 } else if (vma->vm_file && vma->anon_vma) {
3110                         /*
3111                          * We are making executable a file mapping that has
3112                          * had some COW done. Since pages might have been
3113                          * written, check ability to execute the possibly
3114                          * modified content.  This typically should only
3115                          * occur for text relocations.
3116                          */
3117                         rc = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
3118                 }
3119                 if (rc)
3120                         return rc;
3121         }
3122 #endif
3123
3124         return file_map_prot_check(vma->vm_file, prot, vma->vm_flags&VM_SHARED);
3125 }
3126
3127 static int selinux_file_lock(struct file *file, unsigned int cmd)
3128 {
3129         const struct cred *cred = current_cred();
3130
3131         return file_has_perm(cred, file, FILE__LOCK);
3132 }
3133
3134 static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3135                               unsigned long arg)
3136 {
3137         const struct cred *cred = current_cred();
3138         int err = 0;
3139
3140         switch (cmd) {
3141         case F_SETFL:
3142                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3143                         err = -EINVAL;
3144                         break;
3145                 }
3146
3147                 if ((file->f_flags & O_APPEND) && !(arg & O_APPEND)) {
3148                         err = file_has_perm(cred, file, FILE__WRITE);
3149                         break;
3150                 }
3151                 /* fall through */
3152         case F_SETOWN:
3153         case F_SETSIG:
3154         case F_GETFL:
3155         case F_GETOWN:
3156         case F_GETSIG:
3157                 /* Just check FD__USE permission */
3158                 err = file_has_perm(cred, file, 0);
3159                 break;
3160         case F_GETLK:
3161         case F_SETLK:
3162         case F_SETLKW:
3163 #if BITS_PER_LONG == 32
3164         case F_GETLK64:
3165         case F_SETLK64:
3166         case F_SETLKW64:
3167 #endif
3168                 if (!file->f_path.dentry || !file->f_path.dentry->d_inode) {
3169                         err = -EINVAL;
3170                         break;
3171                 }
3172                 err = file_has_perm(cred, file, FILE__LOCK);
3173                 break;
3174         }
3175
3176         return err;
3177 }
3178
3179 static int selinux_file_set_fowner(struct file *file)
3180 {
3181         struct file_security_struct *fsec;
3182
3183         fsec = file->f_security;
3184         fsec->fown_sid = current_sid();
3185
3186         return 0;
3187 }
3188
3189 static int selinux_file_send_sigiotask(struct task_struct *tsk,
3190                                        struct fown_struct *fown, int signum)
3191 {
3192         struct file *file;
3193         u32 sid = current_sid();
3194         u32 perm;
3195         struct file_security_struct *fsec;
3196
3197         /* struct fown_struct is never outside the context of a struct file */
3198         file = container_of(fown, struct file, f_owner);
3199
3200         fsec = file->f_security;
3201
3202         if (!signum)
3203                 perm = signal_to_av(SIGIO); /* as per send_sigio_to_task */
3204         else
3205                 perm = signal_to_av(signum);
3206
3207         return avc_has_perm(fsec->fown_sid, sid,
3208                             SECCLASS_PROCESS, perm, NULL);
3209 }
3210
3211 static int selinux_file_receive(struct file *file)
3212 {
3213         const struct cred *cred = current_cred();
3214
3215         return file_has_perm(cred, file, file_to_av(file));
3216 }
3217
3218 static int selinux_dentry_open(struct file *file, const struct cred *cred)
3219 {
3220         struct file_security_struct *fsec;
3221         struct inode *inode;
3222         struct inode_security_struct *isec;
3223
3224         inode = file->f_path.dentry->d_inode;
3225         fsec = file->f_security;
3226         isec = inode->i_security;
3227         /*
3228          * Save inode label and policy sequence number
3229          * at open-time so that selinux_file_permission
3230          * can determine whether revalidation is necessary.
3231          * Task label is already saved in the file security
3232          * struct as its SID.
3233          */
3234         fsec->isid = isec->sid;
3235         fsec->pseqno = avc_policy_seqno();
3236         /*
3237          * Since the inode label or policy seqno may have changed
3238          * between the selinux_inode_permission check and the saving
3239          * of state above, recheck that access is still permitted.
3240          * Otherwise, access might never be revalidated against the
3241          * new inode label or new policy.
3242          * This check is not redundant - do not remove.
3243          */
3244         return inode_has_perm(cred, inode, open_file_to_av(file), NULL);
3245 }
3246
3247 /* task security operations */
3248
3249 static int selinux_task_create(unsigned long clone_flags)
3250 {
3251         int rc;
3252
3253         rc = secondary_ops->task_create(clone_flags);
3254         if (rc)
3255                 return rc;
3256
3257         return current_has_perm(current, PROCESS__FORK);
3258 }
3259
3260 /*
3261  * detach and free the LSM part of a set of credentials
3262  */
3263 static void selinux_cred_free(struct cred *cred)
3264 {
3265         struct task_security_struct *tsec = cred->security;
3266         cred->security = NULL;
3267         kfree(tsec);
3268 }
3269
3270 /*
3271  * prepare a new set of credentials for modification
3272  */
3273 static int selinux_cred_prepare(struct cred *new, const struct cred *old,
3274                                 gfp_t gfp)
3275 {
3276         const struct task_security_struct *old_tsec;
3277         struct task_security_struct *tsec;
3278
3279         old_tsec = old->security;
3280
3281         tsec = kmemdup(old_tsec, sizeof(struct task_security_struct), gfp);
3282         if (!tsec)
3283                 return -ENOMEM;
3284
3285         new->security = tsec;
3286         return 0;
3287 }
3288
3289 /*
3290  * commit new credentials
3291  */
3292 static void selinux_cred_commit(struct cred *new, const struct cred *old)
3293 {
3294         secondary_ops->cred_commit(new, old);
3295 }
3296
3297 /*
3298  * set the security data for a kernel service
3299  * - all the creation contexts are set to unlabelled
3300  */
3301 static int selinux_kernel_act_as(struct cred *new, u32 secid)
3302 {
3303         struct task_security_struct *tsec = new->security;
3304         u32 sid = current_sid();
3305         int ret;
3306
3307         ret = avc_has_perm(sid, secid,
3308                            SECCLASS_KERNEL_SERVICE,
3309                            KERNEL_SERVICE__USE_AS_OVERRIDE,
3310                            NULL);
3311         if (ret == 0) {
3312                 tsec->sid = secid;
3313                 tsec->create_sid = 0;
3314                 tsec->keycreate_sid = 0;
3315                 tsec->sockcreate_sid = 0;
3316         }
3317         return ret;
3318 }
3319
3320 /*
3321  * set the file creation context in a security record to the same as the
3322  * objective context of the specified inode
3323  */
3324 static int selinux_kernel_create_files_as(struct cred *new, struct inode *inode)
3325 {
3326         struct inode_security_struct *isec = inode->i_security;
3327         struct task_security_struct *tsec = new->security;
3328         u32 sid = current_sid();
3329         int ret;
3330
3331         ret = avc_has_perm(sid, isec->sid,
3332                            SECCLASS_KERNEL_SERVICE,
3333                            KERNEL_SERVICE__CREATE_FILES_AS,
3334                            NULL);
3335
3336         if (ret == 0)
3337                 tsec->create_sid = isec->sid;
3338         return 0;
3339 }
3340
3341 static int selinux_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
3342 {
3343         /* Since setuid only affects the current process, and
3344            since the SELinux controls are not based on the Linux
3345            identity attributes, SELinux does not need to control
3346            this operation.  However, SELinux does control the use
3347            of the CAP_SETUID and CAP_SETGID capabilities using the
3348            capable hook. */
3349         return 0;
3350 }
3351
3352 static int selinux_task_fix_setuid(struct cred *new, const struct cred *old,
3353                                    int flags)
3354 {
3355         return secondary_ops->task_fix_setuid(new, old, flags);
3356 }
3357
3358 static int selinux_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
3359 {
3360         /* See the comment for setuid above. */
3361         return 0;
3362 }
3363
3364 static int selinux_task_setpgid(struct task_struct *p, pid_t pgid)
3365 {
3366         return current_has_perm(p, PROCESS__SETPGID);
3367 }
3368
3369 static int selinux_task_getpgid(struct task_struct *p)
3370 {
3371         return current_has_perm(p, PROCESS__GETPGID);
3372 }
3373
3374 static int selinux_task_getsid(struct task_struct *p)
3375 {
3376         return current_has_perm(p, PROCESS__GETSESSION);
3377 }
3378
3379 static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
3380 {
3381         *secid = task_sid(p);
3382 }
3383
3384 static int selinux_task_setgroups(struct group_info *group_info)
3385 {
3386         /* See the comment for setuid above. */
3387         return 0;
3388 }
3389
3390 static int selinux_task_setnice(struct task_struct *p, int nice)
3391 {
3392         int rc;
3393
3394         rc = secondary_ops->task_setnice(p, nice);
3395         if (rc)
3396                 return rc;
3397
3398         return current_has_perm(p, PROCESS__SETSCHED);
3399 }
3400
3401 static int selinux_task_setioprio(struct task_struct *p, int ioprio)
3402 {
3403         int rc;
3404
3405         rc = secondary_ops->task_setioprio(p, ioprio);
3406         if (rc)
3407                 return rc;
3408
3409         return current_has_perm(p, PROCESS__SETSCHED);
3410 }
3411
3412 static int selinux_task_getioprio(struct task_struct *p)
3413 {
3414         return current_has_perm(p, PROCESS__GETSCHED);
3415 }
3416
3417 static int selinux_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
3418 {
3419         struct rlimit *old_rlim = current->signal->rlim + resource;
3420         int rc;
3421
3422         rc = secondary_ops->task_setrlimit(resource, new_rlim);
3423         if (rc)
3424                 return rc;
3425
3426         /* Control the ability to change the hard limit (whether
3427            lowering or raising it), so that the hard limit can
3428            later be used as a safe reset point for the soft limit
3429            upon context transitions.  See selinux_bprm_committing_creds. */
3430         if (old_rlim->rlim_max != new_rlim->rlim_max)
3431                 return current_has_perm(current, PROCESS__SETRLIMIT);
3432
3433         return 0;
3434 }
3435
3436 static int selinux_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp)
3437 {
3438         int rc;
3439
3440         rc = secondary_ops->task_setscheduler(p, policy, lp);
3441         if (rc)
3442                 return rc;
3443
3444         return current_has_perm(p, PROCESS__SETSCHED);
3445 }
3446
3447 static int selinux_task_getscheduler(struct task_struct *p)
3448 {
3449         return current_has_perm(p, PROCESS__GETSCHED);
3450 }
3451
3452 static int selinux_task_movememory(struct task_struct *p)
3453 {
3454         return current_has_perm(p, PROCESS__SETSCHED);
3455 }
3456
3457 static int selinux_task_kill(struct task_struct *p, struct siginfo *info,
3458                                 int sig, u32 secid)
3459 {
3460         u32 perm;
3461         int rc;
3462
3463         rc = secondary_ops->task_kill(p, info, sig, secid);
3464         if (rc)
3465                 return rc;
3466
3467         if (!sig)
3468                 perm = PROCESS__SIGNULL; /* null signal; existence test */
3469         else
3470                 perm = signal_to_av(sig);
3471         if (secid)
3472                 rc = avc_has_perm(secid, task_sid(p),
3473                                   SECCLASS_PROCESS, perm, NULL);
3474         else
3475                 rc = current_has_perm(p, perm);
3476         return rc;
3477 }
3478
3479 static int selinux_task_prctl(int option,
3480                               unsigned long arg2,
3481                               unsigned long arg3,
3482                               unsigned long arg4,
3483                               unsigned long arg5)
3484 {
3485         /* The current prctl operations do not appear to require
3486            any SELinux controls since they merely observe or modify
3487            the state of the current process. */
3488         return secondary_ops->task_prctl(option, arg2, arg3, arg4, arg5);
3489 }
3490
3491 static int selinux_task_wait(struct task_struct *p)
3492 {
3493         return task_has_perm(p, current, PROCESS__SIGCHLD);
3494 }
3495
3496 static void selinux_task_to_inode(struct task_struct *p,
3497                                   struct inode *inode)
3498 {
3499         struct inode_security_struct *isec = inode->i_security;
3500         u32 sid = task_sid(p);
3501
3502         isec->sid = sid;
3503         isec->initialized = 1;
3504 }
3505
3506 /* Returns error only if unable to parse addresses */
3507 static int selinux_parse_skb_ipv4(struct sk_buff *skb,
3508                         struct avc_audit_data *ad, u8 *proto)
3509 {
3510         int offset, ihlen, ret = -EINVAL;
3511         struct iphdr _iph, *ih;
3512
3513         offset = skb_network_offset(skb);
3514         ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
3515         if (ih == NULL)
3516                 goto out;
3517
3518         ihlen = ih->ihl * 4;
3519         if (ihlen < sizeof(_iph))
3520                 goto out;
3521
3522         ad->u.net.v4info.saddr = ih->saddr;
3523         ad->u.net.v4info.daddr = ih->daddr;
3524         ret = 0;
3525
3526         if (proto)
3527                 *proto = ih->protocol;
3528
3529         switch (ih->protocol) {
3530         case IPPROTO_TCP: {
3531                 struct tcphdr _tcph, *th;
3532
3533                 if (ntohs(ih->frag_off) & IP_OFFSET)
3534                         break;
3535
3536                 offset += ihlen;
3537                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3538                 if (th == NULL)
3539                         break;
3540
3541                 ad->u.net.sport = th->source;
3542                 ad->u.net.dport = th->dest;
3543                 break;
3544         }
3545
3546         case IPPROTO_UDP: {
3547                 struct udphdr _udph, *uh;
3548
3549                 if (ntohs(ih->frag_off) & IP_OFFSET)
3550                         break;
3551
3552                 offset += ihlen;
3553                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3554                 if (uh == NULL)
3555                         break;
3556
3557                 ad->u.net.sport = uh->source;
3558                 ad->u.net.dport = uh->dest;
3559                 break;
3560         }
3561
3562         case IPPROTO_DCCP: {
3563                 struct dccp_hdr _dccph, *dh;
3564
3565                 if (ntohs(ih->frag_off) & IP_OFFSET)
3566                         break;
3567
3568                 offset += ihlen;
3569                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3570                 if (dh == NULL)
3571                         break;
3572
3573                 ad->u.net.sport = dh->dccph_sport;
3574                 ad->u.net.dport = dh->dccph_dport;
3575                 break;
3576         }
3577
3578         default:
3579                 break;
3580         }
3581 out:
3582         return ret;
3583 }
3584
3585 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3586
3587 /* Returns error only if unable to parse addresses */
3588 static int selinux_parse_skb_ipv6(struct sk_buff *skb,
3589                         struct avc_audit_data *ad, u8 *proto)
3590 {
3591         u8 nexthdr;
3592         int ret = -EINVAL, offset;
3593         struct ipv6hdr _ipv6h, *ip6;
3594
3595         offset = skb_network_offset(skb);
3596         ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3597         if (ip6 == NULL)
3598                 goto out;
3599
3600         ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr);
3601         ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr);
3602         ret = 0;
3603
3604         nexthdr = ip6->nexthdr;
3605         offset += sizeof(_ipv6h);
3606         offset = ipv6_skip_exthdr(skb, offset, &nexthdr);
3607         if (offset < 0)
3608                 goto out;
3609
3610         if (proto)
3611                 *proto = nexthdr;
3612
3613         switch (nexthdr) {
3614         case IPPROTO_TCP: {
3615                 struct tcphdr _tcph, *th;
3616
3617                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3618                 if (th == NULL)
3619                         break;
3620
3621                 ad->u.net.sport = th->source;
3622                 ad->u.net.dport = th->dest;
3623                 break;
3624         }
3625
3626         case IPPROTO_UDP: {
3627                 struct udphdr _udph, *uh;
3628
3629                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3630                 if (uh == NULL)
3631                         break;
3632
3633                 ad->u.net.sport = uh->source;
3634                 ad->u.net.dport = uh->dest;
3635                 break;
3636         }
3637
3638         case IPPROTO_DCCP: {
3639                 struct dccp_hdr _dccph, *dh;
3640
3641                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3642                 if (dh == NULL)
3643                         break;
3644
3645                 ad->u.net.sport = dh->dccph_sport;
3646                 ad->u.net.dport = dh->dccph_dport;
3647                 break;
3648         }
3649
3650         /* includes fragments */
3651         default:
3652                 break;
3653         }
3654 out:
3655         return ret;
3656 }
3657
3658 #endif /* IPV6 */
3659
3660 static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3661                              char **_addrp, int src, u8 *proto)
3662 {
3663         char *addrp;
3664         int ret;
3665
3666         switch (ad->u.net.family) {
3667         case PF_INET:
3668                 ret = selinux_parse_skb_ipv4(skb, ad, proto);
3669                 if (ret)
3670                         goto parse_error;
3671                 addrp = (char *)(src ? &ad->u.net.v4info.saddr :
3672                                        &ad->u.net.v4info.daddr);
3673                 goto okay;
3674
3675 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
3676         case PF_INET6:
3677                 ret = selinux_parse_skb_ipv6(skb, ad, proto);
3678                 if (ret)
3679                         goto parse_error;
3680                 addrp = (char *)(src ? &ad->u.net.v6info.saddr :
3681                                        &ad->u.net.v6info.daddr);
3682                 goto okay;
3683 #endif  /* IPV6 */
3684         default:
3685                 addrp = NULL;
3686                 goto okay;
3687         }
3688
3689 parse_error:
3690         printk(KERN_WARNING
3691                "SELinux: failure in selinux_parse_skb(),"
3692                " unable to parse packet\n");
3693         return ret;
3694
3695 okay:
3696         if (_addrp)
3697                 *_addrp = addrp;
3698         return 0;
3699 }
3700
3701 /**
3702  * selinux_skb_peerlbl_sid - Determine the peer label of a packet
3703  * @skb: the packet
3704  * @family: protocol family
3705  * @sid: the packet's peer label SID
3706  *
3707  * Description:
3708  * Check the various different forms of network peer labeling and determine
3709  * the peer label/SID for the packet; most of the magic actually occurs in
3710  * the security server function security_net_peersid_cmp().  The function
3711  * returns zero if the value in @sid is valid (although it may be SECSID_NULL)
3712  * or -EACCES if @sid is invalid due to inconsistencies with the different
3713  * peer labels.
3714  *
3715  */
3716 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3717 {
3718         int err;
3719         u32 xfrm_sid;
3720         u32 nlbl_sid;
3721         u32 nlbl_type;
3722
3723         selinux_skb_xfrm_sid(skb, &xfrm_sid);
3724         selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3725
3726         err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3727         if (unlikely(err)) {
3728                 printk(KERN_WARNING
3729                        "SELinux: failure in selinux_skb_peerlbl_sid(),"
3730                        " unable to determine packet's peer label\n");
3731                 return -EACCES;
3732         }
3733
3734         return 0;
3735 }
3736
3737 /* socket security operations */
3738 static int socket_has_perm(struct task_struct *task, struct socket *sock,
3739                            u32 perms)
3740 {
3741         struct inode_security_struct *isec;
3742         struct avc_audit_data ad;
3743         u32 sid;
3744         int err = 0;
3745
3746         isec = SOCK_INODE(sock)->i_security;
3747
3748         if (isec->sid == SECINITSID_KERNEL)
3749                 goto out;
3750         sid = task_sid(task);
3751
3752         AVC_AUDIT_DATA_INIT(&ad, NET);
3753         ad.u.net.sk = sock->sk;
3754         err = avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
3755
3756 out:
3757         return err;
3758 }
3759
3760 static int selinux_socket_create(int family, int type,
3761                                  int protocol, int kern)
3762 {
3763         const struct cred *cred = current_cred();
3764         const struct task_security_struct *tsec = cred->security;
3765         u32 sid, newsid;
3766         u16 secclass;
3767         int err = 0;
3768
3769         if (kern)
3770                 goto out;
3771
3772         sid = tsec->sid;
3773         newsid = tsec->sockcreate_sid ?: sid;
3774
3775         secclass = socket_type_to_security_class(family, type, protocol);
3776         err = avc_has_perm(sid, newsid, secclass, SOCKET__CREATE, NULL);
3777
3778 out:
3779         return err;
3780 }
3781
3782 static int selinux_socket_post_create(struct socket *sock, int family,
3783                                       int type, int protocol, int kern)
3784 {
3785         const struct cred *cred = current_cred();
3786         const struct task_security_struct *tsec = cred->security;
3787         struct inode_security_struct *isec;
3788         struct sk_security_struct *sksec;
3789         u32 sid, newsid;
3790         int err = 0;
3791
3792         sid = tsec->sid;
3793         newsid = tsec->sockcreate_sid;
3794
3795         isec = SOCK_INODE(sock)->i_security;
3796
3797         if (kern)
3798                 isec->sid = SECINITSID_KERNEL;
3799         else if (newsid)
3800                 isec->sid = newsid;
3801         else
3802                 isec->sid = sid;
3803
3804         isec->sclass = socket_type_to_security_class(family, type, protocol);
3805         isec->initialized = 1;
3806
3807         if (sock->sk) {
3808                 sksec = sock->sk->sk_security;
3809                 sksec->sid = isec->sid;
3810                 sksec->sclass = isec->sclass;
3811                 err = selinux_netlbl_socket_post_create(sock);
3812         }
3813
3814         return err;
3815 }
3816
3817 /* Range of port numbers used to automatically bind.
3818    Need to determine whether we should perform a name_bind
3819    permission check between the socket and the port number. */
3820
3821 static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
3822 {
3823         u16 family;
3824         int err;
3825
3826         err = socket_has_perm(current, sock, SOCKET__BIND);
3827         if (err)
3828                 goto out;
3829
3830         /*
3831          * If PF_INET or PF_INET6, check name_bind permission for the port.
3832          * Multiple address binding for SCTP is not supported yet: we just
3833          * check the first address now.
3834          */
3835         family = sock->sk->sk_family;
3836         if (family == PF_INET || family == PF_INET6) {
3837                 char *addrp;
3838                 struct inode_security_struct *isec;
3839                 struct avc_audit_data ad;
3840                 struct sockaddr_in *addr4 = NULL;
3841                 struct sockaddr_in6 *addr6 = NULL;
3842                 unsigned short snum;
3843                 struct sock *sk = sock->sk;
3844                 u32 sid, node_perm;
3845
3846                 isec = SOCK_INODE(sock)->i_security;
3847
3848                 if (family == PF_INET) {
3849                         addr4 = (struct sockaddr_in *)address;
3850                         snum = ntohs(addr4->sin_port);
3851                         addrp = (char *)&addr4->sin_addr.s_addr;
3852                 } else {
3853                         addr6 = (struct sockaddr_in6 *)address;
3854                         snum = ntohs(addr6->sin6_port);
3855                         addrp = (char *)&addr6->sin6_addr.s6_addr;
3856                 }
3857
3858                 if (snum) {
3859                         int low, high;
3860
3861                         inet_get_local_port_range(&low, &high);
3862
3863                         if (snum < max(PROT_SOCK, low) || snum > high) {
3864                                 err = sel_netport_sid(sk->sk_protocol,
3865                                                       snum, &sid);
3866                                 if (err)
3867                                         goto out;
3868                                 AVC_AUDIT_DATA_INIT(&ad, NET);
3869                                 ad.u.net.sport = htons(snum);
3870                                 ad.u.net.family = family;
3871                                 err = avc_has_perm(isec->sid, sid,
3872                                                    isec->sclass,
3873                                                    SOCKET__NAME_BIND, &ad);
3874                                 if (err)
3875                                         goto out;
3876                         }
3877                 }
3878
3879                 switch (isec->sclass) {
3880                 case SECCLASS_TCP_SOCKET:
3881                         node_perm = TCP_SOCKET__NODE_BIND;
3882                         break;
3883
3884                 case SECCLASS_UDP_SOCKET:
3885                         node_perm = UDP_SOCKET__NODE_BIND;
3886                         break;
3887
3888                 case SECCLASS_DCCP_SOCKET:
3889                         node_perm = DCCP_SOCKET__NODE_BIND;
3890                         break;
3891
3892                 default:
3893                         node_perm = RAWIP_SOCKET__NODE_BIND;
3894                         break;
3895                 }
3896
3897                 err = sel_netnode_sid(addrp, family, &sid);
3898                 if (err)
3899                         goto out;
3900
3901                 AVC_AUDIT_DATA_INIT(&ad, NET);
3902                 ad.u.net.sport = htons(snum);
3903                 ad.u.net.family = family;
3904
3905                 if (family == PF_INET)
3906                         ad.u.net.v4info.saddr = addr4->sin_addr.s_addr;
3907                 else
3908                         ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr);
3909
3910                 err = avc_has_perm(isec->sid, sid,
3911                                    isec->sclass, node_perm, &ad);
3912                 if (err)
3913                         goto out;
3914         }
3915 out:
3916         return err;
3917 }
3918
3919 static int selinux_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
3920 {
3921         struct sock *sk = sock->sk;
3922         struct inode_security_struct *isec;
3923         int err;
3924
3925         err = socket_has_perm(current, sock, SOCKET__CONNECT);
3926         if (err)
3927                 return err;
3928
3929         /*
3930          * If a TCP or DCCP socket, check name_connect permission for the port.
3931          */
3932         isec = SOCK_INODE(sock)->i_security;
3933         if (isec->sclass == SECCLASS_TCP_SOCKET ||
3934             isec->sclass == SECCLASS_DCCP_SOCKET) {
3935                 struct avc_audit_data ad;
3936                 struct sockaddr_in *addr4 = NULL;
3937                 struct sockaddr_in6 *addr6 = NULL;
3938                 unsigned short snum;
3939                 u32 sid, perm;
3940
3941                 if (sk->sk_family == PF_INET) {
3942                         addr4 = (struct sockaddr_in *)address;
3943                         if (addrlen < sizeof(struct sockaddr_in))
3944                                 return -EINVAL;
3945                         snum = ntohs(addr4->sin_port);
3946                 } else {
3947                         addr6 = (struct sockaddr_in6 *)address;
3948                         if (addrlen < SIN6_LEN_RFC2133)
3949                                 return -EINVAL;
3950                         snum = ntohs(addr6->sin6_port);
3951                 }
3952
3953                 err = sel_netport_sid(sk->sk_protocol, snum, &sid);
3954                 if (err)
3955                         goto out;
3956
3957                 perm = (isec->sclass == SECCLASS_TCP_SOCKET) ?
3958                        TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
3959
3960                 AVC_AUDIT_DATA_INIT(&ad, NET);
3961                 ad.u.net.dport = htons(snum);
3962                 ad.u.net.family = sk->sk_family;
3963                 err = avc_has_perm(isec->sid, sid, isec->sclass, perm, &ad);
3964                 if (err)
3965                         goto out;
3966         }
3967
3968         err = selinux_netlbl_socket_connect(sk, address);
3969
3970 out:
3971         return err;
3972 }
3973
3974 static int selinux_socket_listen(struct socket *sock, int backlog)
3975 {
3976         return socket_has_perm(current, sock, SOCKET__LISTEN);
3977 }
3978
3979 static int selinux_socket_accept(struct socket *sock, struct socket *newsock)
3980 {
3981         int err;
3982         struct inode_security_struct *isec;
3983         struct inode_security_struct *newisec;
3984
3985         err = socket_has_perm(current, sock, SOCKET__ACCEPT);
3986         if (err)
3987                 return err;
3988
3989         newisec = SOCK_INODE(newsock)->i_security;
3990
3991         isec = SOCK_INODE(sock)->i_security;
3992         newisec->sclass = isec->sclass;
3993         newisec->sid = isec->sid;
3994         newisec->initialized = 1;
3995
3996         return 0;
3997 }
3998
3999 static int selinux_socket_sendmsg(struct socket *sock, struct msghdr *msg,
4000                                   int size)
4001 {
4002         int rc;
4003
4004         rc = socket_has_perm(current, sock, SOCKET__WRITE);
4005         if (rc)
4006                 return rc;
4007
4008         return selinux_netlbl_inode_permission(SOCK_INODE(sock), MAY_WRITE);
4009 }
4010
4011 static int selinux_socket_recvmsg(struct socket *sock, struct msghdr *msg,
4012                                   int size, int flags)
4013 {
4014         return socket_has_perm(current, sock, SOCKET__READ);
4015 }
4016
4017 static int selinux_socket_getsockname(struct socket *sock)
4018 {
4019         return socket_has_perm(current, sock, SOCKET__GETATTR);
4020 }
4021
4022 static int selinux_socket_getpeername(struct socket *sock)
4023 {
4024         return socket_has_perm(current, sock, SOCKET__GETATTR);
4025 }
4026
4027 static int selinux_socket_setsockopt(struct socket *sock, int level, int optname)
4028 {
4029         int err;
4030
4031         err = socket_has_perm(current, sock, SOCKET__SETOPT);
4032         if (err)
4033                 return err;
4034
4035         return selinux_netlbl_socket_setsockopt(sock, level, optname);
4036 }
4037
4038 static int selinux_socket_getsockopt(struct socket *sock, int level,
4039                                      int optname)
4040 {
4041         return socket_has_perm(current, sock, SOCKET__GETOPT);
4042 }
4043
4044 static int selinux_socket_shutdown(struct socket *sock, int how)
4045 {
4046         return socket_has_perm(current, sock, SOCKET__SHUTDOWN);
4047 }
4048
4049 static int selinux_socket_unix_stream_connect(struct socket *sock,
4050                                               struct socket *other,
4051                                               struct sock *newsk)
4052 {
4053         struct sk_security_struct *ssec;
4054         struct inode_security_struct *isec;
4055         struct inode_security_struct *other_isec;
4056         struct avc_audit_data ad;
4057         int err;
4058
4059         err = secondary_ops->unix_stream_connect(sock, other, newsk);
4060         if (err)
4061                 return err;
4062
4063         isec = SOCK_INODE(sock)->i_security;
4064         other_isec = SOCK_INODE(other)->i_security;
4065
4066         AVC_AUDIT_DATA_INIT(&ad, NET);
4067         ad.u.net.sk = other->sk;
4068
4069         err = avc_has_perm(isec->sid, other_isec->sid,
4070                            isec->sclass,
4071                            UNIX_STREAM_SOCKET__CONNECTTO, &ad);
4072         if (err)
4073                 return err;
4074
4075         /* connecting socket */
4076         ssec = sock->sk->sk_security;
4077         ssec->peer_sid = other_isec->sid;
4078
4079         /* server child socket */
4080         ssec = newsk->sk_security;
4081         ssec->peer_sid = isec->sid;
4082         err = security_sid_mls_copy(other_isec->sid, ssec->peer_sid, &ssec->sid);
4083
4084         return err;
4085 }
4086
4087 static int selinux_socket_unix_may_send(struct socket *sock,
4088                                         struct socket *other)
4089 {
4090         struct inode_security_struct *isec;
4091         struct inode_security_struct *other_isec;
4092         struct avc_audit_data ad;
4093         int err;
4094
4095         isec = SOCK_INODE(sock)->i_security;
4096         other_isec = SOCK_INODE(other)->i_security;
4097
4098         AVC_AUDIT_DATA_INIT(&ad, NET);
4099         ad.u.net.sk = other->sk;
4100
4101         err = avc_has_perm(isec->sid, other_isec->sid,
4102                            isec->sclass, SOCKET__SENDTO, &ad);
4103         if (err)
4104                 return err;
4105
4106         return 0;
4107 }
4108
4109 static int selinux_inet_sys_rcv_skb(int ifindex, char *addrp, u16 family,
4110                                     u32 peer_sid,
4111                                     struct avc_audit_data *ad)
4112 {
4113         int err;
4114         u32 if_sid;
4115         u32 node_sid;
4116
4117         err = sel_netif_sid(ifindex, &if_sid);
4118         if (err)
4119                 return err;
4120         err = avc_has_perm(peer_sid, if_sid,
4121                            SECCLASS_NETIF, NETIF__INGRESS, ad);
4122         if (err)
4123                 return err;
4124
4125         err = sel_netnode_sid(addrp, family, &node_sid);
4126         if (err)
4127                 return err;
4128         return avc_has_perm(peer_sid, node_sid,
4129                             SECCLASS_NODE, NODE__RECVFROM, ad);
4130 }
4131
4132 static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
4133                                                 struct sk_buff *skb,
4134                                                 struct avc_audit_data *ad,
4135                                                 u16 family,
4136                                                 char *addrp)
4137 {
4138         int err;
4139         struct sk_security_struct *sksec = sk->sk_security;
4140         u16 sk_class;
4141         u32 netif_perm, node_perm, recv_perm;
4142         u32 port_sid, node_sid, if_sid, sk_sid;
4143
4144         sk_sid = sksec->sid;
4145         sk_class = sksec->sclass;
4146
4147         switch (sk_class) {
4148         case SECCLASS_UDP_SOCKET:
4149                 netif_perm = NETIF__UDP_RECV;
4150                 node_perm = NODE__UDP_RECV;
4151                 recv_perm = UDP_SOCKET__RECV_MSG;
4152                 break;
4153         case SECCLASS_TCP_SOCKET:
4154                 netif_perm = NETIF__TCP_RECV;
4155                 node_perm = NODE__TCP_RECV;
4156                 recv_perm = TCP_SOCKET__RECV_MSG;
4157                 break;
4158         case SECCLASS_DCCP_SOCKET:
4159                 netif_perm = NETIF__DCCP_RECV;
4160                 node_perm = NODE__DCCP_RECV;
4161                 recv_perm = DCCP_SOCKET__RECV_MSG;
4162                 break;
4163         default:
4164                 netif_perm = NETIF__RAWIP_RECV;
4165                 node_perm = NODE__RAWIP_RECV;
4166                 recv_perm = 0;
4167                 break;
4168         }
4169
4170         err = sel_netif_sid(skb->iif, &if_sid);
4171         if (err)
4172                 return err;
4173         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4174         if (err)
4175                 return err;
4176
4177         err = sel_netnode_sid(addrp, family, &node_sid);
4178         if (err)
4179                 return err;
4180         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4181         if (err)
4182                 return err;
4183
4184         if (!recv_perm)
4185                 return 0;
4186         err = sel_netport_sid(sk->sk_protocol,
4187                               ntohs(ad->u.net.sport), &port_sid);
4188         if (unlikely(err)) {
4189                 printk(KERN_WARNING
4190                        "SELinux: failure in"
4191                        " selinux_sock_rcv_skb_iptables_compat(),"
4192                        " network port label not found\n");
4193                 return err;
4194         }
4195         return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
4196 }
4197
4198 static int selinux_sock_rcv_skb_compat(struct sock *sk, struct sk_buff *skb,
4199                                        u16 family)
4200 {
4201         int err = 0;
4202         struct sk_security_struct *sksec = sk->sk_security;
4203         u32 peer_sid;
4204         u32 sk_sid = sksec->sid;
4205         struct avc_audit_data ad;
4206         char *addrp;
4207
4208         AVC_AUDIT_DATA_INIT(&ad, NET);
4209         ad.u.net.netif = skb->iif;
4210         ad.u.net.family = family;
4211         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4212         if (err)
4213                 return err;
4214
4215         if (selinux_compat_net)
4216                 err = selinux_sock_rcv_skb_iptables_compat(sk, skb, &ad,
4217                                                            family, addrp);
4218         else if (selinux_secmark_enabled())
4219                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4220                                    PACKET__RECV, &ad);
4221         if (err)
4222                 return err;
4223
4224         if (selinux_policycap_netpeer) {
4225                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4226                 if (err)
4227                         return err;
4228                 err = avc_has_perm(sk_sid, peer_sid,
4229                                    SECCLASS_PEER, PEER__RECV, &ad);
4230                 if (err)
4231                         selinux_netlbl_err(skb, err, 0);
4232         } else {
4233                 err = selinux_netlbl_sock_rcv_skb(sksec, skb, family, &ad);
4234                 if (err)
4235                         return err;
4236                 err = selinux_xfrm_sock_rcv_skb(sksec->sid, skb, &ad);
4237         }
4238
4239         return err;
4240 }
4241
4242 static int selinux_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
4243 {
4244         int err;
4245         struct sk_security_struct *sksec = sk->sk_security;
4246         u16 family = sk->sk_family;
4247         u32 sk_sid = sksec->sid;
4248         struct avc_audit_data ad;
4249         char *addrp;
4250         u8 secmark_active;
4251         u8 peerlbl_active;
4252
4253         if (family != PF_INET && family != PF_INET6)
4254                 return 0;
4255
4256         /* Handle mapped IPv4 packets arriving via IPv6 sockets */
4257         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4258                 family = PF_INET;
4259
4260         /* If any sort of compatibility mode is enabled then handoff processing
4261          * to the selinux_sock_rcv_skb_compat() function to deal with the
4262          * special handling.  We do this in an attempt to keep this function
4263          * as fast and as clean as possible. */
4264         if (selinux_compat_net || !selinux_policycap_netpeer)
4265                 return selinux_sock_rcv_skb_compat(sk, skb, family);
4266
4267         secmark_active = selinux_secmark_enabled();
4268         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4269         if (!secmark_active && !peerlbl_active)
4270                 return 0;
4271
4272         AVC_AUDIT_DATA_INIT(&ad, NET);
4273         ad.u.net.netif = skb->iif;
4274         ad.u.net.family = family;
4275         err = selinux_parse_skb(skb, &ad, &addrp, 1, NULL);
4276         if (err)
4277                 return err;
4278
4279         if (peerlbl_active) {
4280                 u32 peer_sid;
4281
4282                 err = selinux_skb_peerlbl_sid(skb, family, &peer_sid);
4283                 if (err)
4284                         return err;
4285                 err = selinux_inet_sys_rcv_skb(skb->iif, addrp, family,
4286                                                peer_sid, &ad);
4287                 if (err) {
4288                         selinux_netlbl_err(skb, err, 0);
4289                         return err;
4290                 }
4291                 err = avc_has_perm(sk_sid, peer_sid, SECCLASS_PEER,
4292                                    PEER__RECV, &ad);
4293                 if (err)
4294                         selinux_netlbl_err(skb, err, 0);
4295         }
4296
4297         if (secmark_active) {
4298                 err = avc_has_perm(sk_sid, skb->secmark, SECCLASS_PACKET,
4299                                    PACKET__RECV, &ad);
4300                 if (err)
4301                         return err;
4302         }
4303
4304         return err;
4305 }
4306
4307 static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *optval,
4308                                             int __user *optlen, unsigned len)
4309 {
4310         int err = 0;
4311         char *scontext;
4312         u32 scontext_len;
4313         struct sk_security_struct *ssec;
4314         struct inode_security_struct *isec;
4315         u32 peer_sid = SECSID_NULL;
4316
4317         isec = SOCK_INODE(sock)->i_security;
4318
4319         if (isec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
4320             isec->sclass == SECCLASS_TCP_SOCKET) {
4321                 ssec = sock->sk->sk_security;
4322                 peer_sid = ssec->peer_sid;
4323         }
4324         if (peer_sid == SECSID_NULL) {
4325                 err = -ENOPROTOOPT;
4326                 goto out;
4327         }
4328
4329         err = security_sid_to_context(peer_sid, &scontext, &scontext_len);
4330
4331         if (err)
4332                 goto out;
4333
4334         if (scontext_len > len) {
4335                 err = -ERANGE;
4336                 goto out_len;
4337         }
4338
4339         if (copy_to_user(optval, scontext, scontext_len))
4340                 err = -EFAULT;
4341
4342 out_len:
4343         if (put_user(scontext_len, optlen))
4344                 err = -EFAULT;
4345
4346         kfree(scontext);
4347 out:
4348         return err;
4349 }
4350
4351 static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
4352 {
4353         u32 peer_secid = SECSID_NULL;
4354         u16 family;
4355
4356         if (skb && skb->protocol == htons(ETH_P_IP))
4357                 family = PF_INET;
4358         else if (skb && skb->protocol == htons(ETH_P_IPV6))
4359                 family = PF_INET6;
4360         else if (sock)
4361                 family = sock->sk->sk_family;
4362         else
4363                 goto out;
4364
4365         if (sock && family == PF_UNIX)
4366                 selinux_inode_getsecid(SOCK_INODE(sock), &peer_secid);
4367         else if (skb)
4368                 selinux_skb_peerlbl_sid(skb, family, &peer_secid);
4369
4370 out:
4371         *secid = peer_secid;
4372         if (peer_secid == SECSID_NULL)
4373                 return -EINVAL;
4374         return 0;
4375 }
4376
4377 static int selinux_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
4378 {
4379         return sk_alloc_security(sk, family, priority);
4380 }
4381
4382 static void selinux_sk_free_security(struct sock *sk)
4383 {
4384         sk_free_security(sk);
4385 }
4386
4387 static void selinux_sk_clone_security(const struct sock *sk, struct sock *newsk)
4388 {
4389         struct sk_security_struct *ssec = sk->sk_security;
4390         struct sk_security_struct *newssec = newsk->sk_security;
4391
4392         newssec->sid = ssec->sid;
4393         newssec->peer_sid = ssec->peer_sid;
4394         newssec->sclass = ssec->sclass;
4395
4396         selinux_netlbl_sk_security_reset(newssec, newsk->sk_family);
4397 }
4398
4399 static void selinux_sk_getsecid(struct sock *sk, u32 *secid)
4400 {
4401         if (!sk)
4402                 *secid = SECINITSID_ANY_SOCKET;
4403         else {
4404                 struct sk_security_struct *sksec = sk->sk_security;
4405
4406                 *secid = sksec->sid;
4407         }
4408 }
4409
4410 static void selinux_sock_graft(struct sock *sk, struct socket *parent)
4411 {
4412         struct inode_security_struct *isec = SOCK_INODE(parent)->i_security;
4413         struct sk_security_struct *sksec = sk->sk_security;
4414
4415         if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6 ||
4416             sk->sk_family == PF_UNIX)
4417                 isec->sid = sksec->sid;
4418         sksec->sclass = isec->sclass;
4419 }
4420
4421 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4422                                      struct request_sock *req)
4423 {
4424         struct sk_security_struct *sksec = sk->sk_security;
4425         int err;
4426         u16 family = sk->sk_family;
4427         u32 newsid;
4428         u32 peersid;
4429
4430         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4431         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4432                 family = PF_INET;
4433
4434         err = selinux_skb_peerlbl_sid(skb, family, &peersid);
4435         if (err)
4436                 return err;
4437         if (peersid == SECSID_NULL) {
4438                 req->secid = sksec->sid;
4439                 req->peer_secid = SECSID_NULL;
4440                 return 0;
4441         }
4442
4443         err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
4444         if (err)
4445                 return err;
4446
4447         req->secid = newsid;
4448         req->peer_secid = peersid;
4449         return 0;
4450 }
4451
4452 static void selinux_inet_csk_clone(struct sock *newsk,
4453                                    const struct request_sock *req)
4454 {
4455         struct sk_security_struct *newsksec = newsk->sk_security;
4456
4457         newsksec->sid = req->secid;
4458         newsksec->peer_sid = req->peer_secid;
4459         /* NOTE: Ideally, we should also get the isec->sid for the
4460            new socket in sync, but we don't have the isec available yet.
4461            So we will wait until sock_graft to do it, by which
4462            time it will have been created and available. */
4463
4464         /* We don't need to take any sort of lock here as we are the only
4465          * thread with access to newsksec */
4466         selinux_netlbl_sk_security_reset(newsksec, req->rsk_ops->family);
4467 }
4468
4469 static void selinux_inet_conn_established(struct sock *sk, struct sk_buff *skb)
4470 {
4471         u16 family = sk->sk_family;
4472         struct sk_security_struct *sksec = sk->sk_security;
4473
4474         /* handle mapped IPv4 packets arriving via IPv6 sockets */
4475         if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
4476                 family = PF_INET;
4477
4478         selinux_skb_peerlbl_sid(skb, family, &sksec->peer_sid);
4479
4480         selinux_netlbl_inet_conn_established(sk, family);
4481 }
4482
4483 static void selinux_req_classify_flow(const struct request_sock *req,
4484                                       struct flowi *fl)
4485 {
4486         fl->secid = req->secid;
4487 }
4488
4489 static int selinux_nlmsg_perm(struct sock *sk, struct sk_buff *skb)
4490 {
4491         int err = 0;
4492         u32 perm;
4493         struct nlmsghdr *nlh;
4494         struct socket *sock = sk->sk_socket;
4495         struct inode_security_struct *isec = SOCK_INODE(sock)->i_security;
4496
4497         if (skb->len < NLMSG_SPACE(0)) {
4498                 err = -EINVAL;
4499                 goto out;
4500         }
4501         nlh = nlmsg_hdr(skb);
4502
4503         err = selinux_nlmsg_lookup(isec->sclass, nlh->nlmsg_type, &perm);
4504         if (err) {
4505                 if (err == -EINVAL) {
4506                         audit_log(current->audit_context, GFP_KERNEL, AUDIT_SELINUX_ERR,
4507                                   "SELinux:  unrecognized netlink message"
4508                                   " type=%hu for sclass=%hu\n",
4509                                   nlh->nlmsg_type, isec->sclass);
4510                         if (!selinux_enforcing || security_get_allow_unknown())
4511                                 err = 0;
4512                 }
4513
4514                 /* Ignore */
4515                 if (err == -ENOENT)
4516                         err = 0;
4517                 goto out;
4518         }
4519
4520         err = socket_has_perm(current, sock, perm);
4521 out:
4522         return err;
4523 }
4524
4525 #ifdef CONFIG_NETFILTER
4526
4527 static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
4528                                        u16 family)
4529 {
4530         int err;
4531         char *addrp;
4532         u32 peer_sid;
4533         struct avc_audit_data ad;
4534         u8 secmark_active;
4535         u8 netlbl_active;
4536         u8 peerlbl_active;
4537
4538         if (!selinux_policycap_netpeer)
4539                 return NF_ACCEPT;
4540
4541         secmark_active = selinux_secmark_enabled();
4542         netlbl_active = netlbl_enabled();
4543         peerlbl_active = netlbl_active || selinux_xfrm_enabled();
4544         if (!secmark_active && !peerlbl_active)
4545                 return NF_ACCEPT;
4546
4547         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid) != 0)
4548                 return NF_DROP;
4549
4550         AVC_AUDIT_DATA_INIT(&ad, NET);
4551         ad.u.net.netif = ifindex;
4552         ad.u.net.family = family;
4553         if (selinux_parse_skb(skb, &ad, &addrp, 1, NULL) != 0)
4554                 return NF_DROP;
4555
4556         if (peerlbl_active) {
4557                 err = selinux_inet_sys_rcv_skb(ifindex, addrp, family,
4558                                                peer_sid, &ad);
4559                 if (err) {
4560                         selinux_netlbl_err(skb, err, 1);
4561                         return NF_DROP;
4562                 }
4563         }
4564
4565         if (secmark_active)
4566                 if (avc_has_perm(peer_sid, skb->secmark,
4567                                  SECCLASS_PACKET, PACKET__FORWARD_IN, &ad))
4568                         return NF_DROP;
4569
4570         if (netlbl_active)
4571                 /* we do this in the FORWARD path and not the POST_ROUTING
4572                  * path because we want to make sure we apply the necessary
4573                  * labeling before IPsec is applied so we can leverage AH
4574                  * protection */
4575                 if (selinux_netlbl_skbuff_setsid(skb, family, peer_sid) != 0)
4576                         return NF_DROP;
4577
4578         return NF_ACCEPT;
4579 }
4580
4581 static unsigned int selinux_ipv4_forward(unsigned int hooknum,
4582                                          struct sk_buff *skb,
4583                                          const struct net_device *in,
4584                                          const struct net_device *out,
4585                                          int (*okfn)(struct sk_buff *))
4586 {
4587         return selinux_ip_forward(skb, in->ifindex, PF_INET);
4588 }
4589
4590 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4591 static unsigned int selinux_ipv6_forward(unsigned int hooknum,
4592                                          struct sk_buff *skb,
4593                                          const struct net_device *in,
4594                                          const struct net_device *out,
4595                                          int (*okfn)(struct sk_buff *))
4596 {
4597         return selinux_ip_forward(skb, in->ifindex, PF_INET6);
4598 }
4599 #endif  /* IPV6 */
4600
4601 static unsigned int selinux_ip_output(struct sk_buff *skb,
4602                                       u16 family)
4603 {
4604         u32 sid;
4605
4606         if (!netlbl_enabled())
4607                 return NF_ACCEPT;
4608
4609         /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
4610          * because we want to make sure we apply the necessary labeling
4611          * before IPsec is applied so we can leverage AH protection */
4612         if (skb->sk) {
4613                 struct sk_security_struct *sksec = skb->sk->sk_security;
4614                 sid = sksec->sid;
4615         } else
4616                 sid = SECINITSID_KERNEL;
4617         if (selinux_netlbl_skbuff_setsid(skb, family, sid) != 0)
4618                 return NF_DROP;
4619
4620         return NF_ACCEPT;
4621 }
4622
4623 static unsigned int selinux_ipv4_output(unsigned int hooknum,
4624                                         struct sk_buff *skb,
4625                                         const struct net_device *in,
4626                                         const struct net_device *out,
4627                                         int (*okfn)(struct sk_buff *))
4628 {
4629         return selinux_ip_output(skb, PF_INET);
4630 }
4631
4632 static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4633                                                 int ifindex,
4634                                                 struct avc_audit_data *ad,
4635                                                 u16 family, char *addrp)
4636 {
4637         int err;
4638         struct sk_security_struct *sksec = sk->sk_security;
4639         u16 sk_class;
4640         u32 netif_perm, node_perm, send_perm;
4641         u32 port_sid, node_sid, if_sid, sk_sid;
4642
4643         sk_sid = sksec->sid;
4644         sk_class = sksec->sclass;
4645
4646         switch (sk_class) {
4647         case SECCLASS_UDP_SOCKET:
4648                 netif_perm = NETIF__UDP_SEND;
4649                 node_perm = NODE__UDP_SEND;
4650                 send_perm = UDP_SOCKET__SEND_MSG;
4651                 break;
4652         case SECCLASS_TCP_SOCKET:
4653                 netif_perm = NETIF__TCP_SEND;
4654                 node_perm = NODE__TCP_SEND;
4655                 send_perm = TCP_SOCKET__SEND_MSG;
4656                 break;
4657         case SECCLASS_DCCP_SOCKET:
4658                 netif_perm = NETIF__DCCP_SEND;
4659                 node_perm = NODE__DCCP_SEND;
4660                 send_perm = DCCP_SOCKET__SEND_MSG;
4661                 break;
4662         default:
4663                 netif_perm = NETIF__RAWIP_SEND;
4664                 node_perm = NODE__RAWIP_SEND;
4665                 send_perm = 0;
4666                 break;
4667         }
4668
4669         err = sel_netif_sid(ifindex, &if_sid);
4670         if (err)
4671                 return err;
4672         err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
4673                 return err;
4674
4675         err = sel_netnode_sid(addrp, family, &node_sid);
4676         if (err)
4677                 return err;
4678         err = avc_has_perm(sk_sid, node_sid, SECCLASS_NODE, node_perm, ad);
4679         if (err)
4680                 return err;
4681
4682         if (send_perm != 0)
4683                 return 0;
4684
4685         err = sel_netport_sid(sk->sk_protocol,
4686                               ntohs(ad->u.net.dport), &port_sid);
4687         if (unlikely(err)) {
4688                 printk(KERN_WARNING
4689                        "SELinux: failure in"
4690                        " selinux_ip_postroute_iptables_compat(),"
4691                        " network port label not found\n");
4692                 return err;
4693         }
4694         return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4695 }
4696
4697 static unsigned int selinux_ip_postroute_compat(struct sk_buff *skb,
4698                                                 int ifindex,
4699                                                 u16 family)
4700 {
4701         struct sock *sk = skb->sk;
4702         struct sk_security_struct *sksec;
4703         struct avc_audit_data ad;
4704         char *addrp;
4705         u8 proto;
4706
4707         if (sk == NULL)
4708                 return NF_ACCEPT;
4709         sksec = sk->sk_security;
4710
4711         AVC_AUDIT_DATA_INIT(&ad, NET);
4712         ad.u.net.netif = ifindex;
4713         ad.u.net.family = family;
4714         if (selinux_parse_skb(skb, &ad, &addrp, 0, &proto))
4715                 return NF_DROP;
4716
4717         if (selinux_compat_net) {
4718                 if (selinux_ip_postroute_iptables_compat(skb->sk, ifindex,
4719                                                          &ad, family, addrp))
4720                         return NF_DROP;
4721         } else if (selinux_secmark_enabled()) {
4722                 if (avc_has_perm(sksec->sid, skb->secmark,
4723                                  SECCLASS_PACKET, PACKET__SEND, &ad))
4724                         return NF_DROP;
4725         }
4726
4727         if (selinux_policycap_netpeer)
4728                 if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))
4729                         return NF_DROP;
4730
4731         return NF_ACCEPT;
4732 }
4733
4734 static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
4735                                          u16 family)
4736 {
4737         u32 secmark_perm;
4738         u32 peer_sid;
4739         struct sock *sk;
4740         struct avc_audit_data ad;
4741         char *addrp;
4742         u8 secmark_active;
4743         u8 peerlbl_active;
4744
4745         /* If any sort of compatibility mode is enabled then handoff processing
4746          * to the selinux_ip_postroute_compat() function to deal with the
4747          * special handling.  We do this in an attempt to keep this function
4748          * as fast and as clean as possible. */
4749         if (selinux_compat_net || !selinux_policycap_netpeer)
4750                 return selinux_ip_postroute_compat(skb, ifindex, family);
4751 #ifdef CONFIG_XFRM
4752         /* If skb->dst->xfrm is non-NULL then the packet is undergoing an IPsec
4753          * packet transformation so allow the packet to pass without any checks
4754          * since we'll have another chance to perform access control checks
4755          * when the packet is on it's final way out.
4756          * NOTE: there appear to be some IPv6 multicast cases where skb->dst
4757          *       is NULL, in this case go ahead and apply access control. */
4758         if (skb->dst != NULL && skb->dst->xfrm != NULL)
4759                 return NF_ACCEPT;
4760 #endif
4761         secmark_active = selinux_secmark_enabled();
4762         peerlbl_active = netlbl_enabled() || selinux_xfrm_enabled();
4763         if (!secmark_active && !peerlbl_active)
4764                 return NF_ACCEPT;
4765
4766         /* if the packet is being forwarded then get the peer label from the
4767          * packet itself; otherwise check to see if it is from a local
4768          * application or the kernel, if from an application get the peer label
4769          * from the sending socket, otherwise use the kernel's sid */
4770         sk = skb->sk;
4771         if (sk == NULL) {
4772                 switch (family) {
4773                 case PF_INET:
4774                         if (IPCB(skb)->flags & IPSKB_FORWARDED)
4775                                 secmark_perm = PACKET__FORWARD_OUT;
4776                         else
4777                                 secmark_perm = PACKET__SEND;
4778                         break;
4779                 case PF_INET6:
4780                         if (IP6CB(skb)->flags & IP6SKB_FORWARDED)
4781                                 secmark_perm = PACKET__FORWARD_OUT;
4782                         else
4783                                 secmark_perm = PACKET__SEND;
4784                         break;
4785                 default:
4786                         return NF_DROP;
4787                 }
4788                 if (secmark_perm == PACKET__FORWARD_OUT) {
4789                         if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
4790                                 return NF_DROP;
4791                 } else
4792                         peer_sid = SECINITSID_KERNEL;
4793         } else {
4794                 struct sk_security_struct *sksec = sk->sk_security;
4795                 peer_sid = sksec->sid;
4796                 secmark_perm = PACKET__SEND;
4797         }
4798
4799         AVC_AUDIT_DATA_INIT(&ad, NET);
4800         ad.u.net.netif = ifindex;
4801         ad.u.net.family = family;
4802         if (selinux_parse_skb(skb, &ad, &addrp, 0, NULL))
4803                 return NF_DROP;
4804
4805         if (secmark_active)
4806                 if (avc_has_perm(peer_sid, skb->secmark,
4807                                  SECCLASS_PACKET, secmark_perm, &ad))
4808                         return NF_DROP;
4809
4810         if (peerlbl_active) {
4811                 u32 if_sid;
4812                 u32 node_sid;
4813
4814                 if (sel_netif_sid(ifindex, &if_sid))
4815                         return NF_DROP;
4816                 if (avc_has_perm(peer_sid, if_sid,
4817                                  SECCLASS_NETIF, NETIF__EGRESS, &ad))
4818                         return NF_DROP;
4819
4820                 if (sel_netnode_sid(addrp, family, &node_sid))
4821                         return NF_DROP;
4822                 if (avc_has_perm(peer_sid, node_sid,
4823                                  SECCLASS_NODE, NODE__SENDTO, &ad))
4824                         return NF_DROP;
4825         }
4826
4827         return NF_ACCEPT;
4828 }
4829
4830 static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
4831                                            struct sk_buff *skb,
4832                                            const struct net_device *in,
4833                                            const struct net_device *out,
4834                                            int (*okfn)(struct sk_buff *))
4835 {
4836         return selinux_ip_postroute(skb, out->ifindex, PF_INET);
4837 }
4838
4839 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
4840 static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
4841                                            struct sk_buff *skb,
4842                                            const struct net_device *in,
4843                                            const struct net_device *out,
4844                                            int (*okfn)(struct sk_buff *))
4845 {
4846         return selinux_ip_postroute(skb, out->ifindex, PF_INET6);
4847 }
4848 #endif  /* IPV6 */
4849
4850 #endif  /* CONFIG_NETFILTER */
4851
4852 static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
4853 {
4854         int err;
4855
4856         err = secondary_ops->netlink_send(sk, skb);
4857         if (err)
4858                 return err;
4859
4860         if (policydb_loaded_version >= POLICYDB_VERSION_NLCLASS)
4861                 err = selinux_nlmsg_perm(sk, skb);
4862
4863         return err;
4864 }
4865
4866 static int selinux_netlink_recv(struct sk_buff *skb, int capability)
4867 {
4868         int err;
4869         struct avc_audit_data ad;
4870
4871         err = secondary_ops->netlink_recv(skb, capability);
4872         if (err)
4873                 return err;
4874
4875         AVC_AUDIT_DATA_INIT(&ad, CAP);
4876         ad.u.cap = capability;
4877
4878         return avc_has_perm(NETLINK_CB(skb).sid, NETLINK_CB(skb).sid,
4879                             SECCLASS_CAPABILITY, CAP_TO_MASK(capability), &ad);
4880 }
4881
4882 static int ipc_alloc_security(struct task_struct *task,
4883                               struct kern_ipc_perm *perm,
4884                               u16 sclass)
4885 {
4886         struct ipc_security_struct *isec;
4887         u32 sid;
4888
4889         isec = kzalloc(sizeof(struct ipc_security_struct), GFP_KERNEL);
4890         if (!isec)
4891                 return -ENOMEM;
4892
4893         sid = task_sid(task);
4894         isec->sclass = sclass;
4895         isec->sid = sid;
4896         perm->security = isec;
4897
4898         return 0;
4899 }
4900
4901 static void ipc_free_security(struct kern_ipc_perm *perm)
4902 {
4903         struct ipc_security_struct *isec = perm->security;
4904         perm->security = NULL;
4905         kfree(isec);
4906 }
4907
4908 static int msg_msg_alloc_security(struct msg_msg *msg)
4909 {
4910         struct msg_security_struct *msec;
4911
4912         msec = kzalloc(sizeof(struct msg_security_struct), GFP_KERNEL);
4913         if (!msec)
4914                 return -ENOMEM;
4915
4916         msec->sid = SECINITSID_UNLABELED;
4917         msg->security = msec;
4918
4919         return 0;
4920 }
4921
4922 static void msg_msg_free_security(struct msg_msg *msg)
4923 {
4924         struct msg_security_struct *msec = msg->security;
4925
4926         msg->security = NULL;
4927         kfree(msec);
4928 }
4929
4930 static int ipc_has_perm(struct kern_ipc_perm *ipc_perms,
4931                         u32 perms)
4932 {
4933         struct ipc_security_struct *isec;
4934         struct avc_audit_data ad;
4935         u32 sid = current_sid();
4936
4937         isec = ipc_perms->security;
4938
4939         AVC_AUDIT_DATA_INIT(&ad, IPC);
4940         ad.u.ipc_id = ipc_perms->key;
4941
4942         return avc_has_perm(sid, isec->sid, isec->sclass, perms, &ad);
4943 }
4944
4945 static int selinux_msg_msg_alloc_security(struct msg_msg *msg)
4946 {
4947         return msg_msg_alloc_security(msg);
4948 }
4949
4950 static void selinux_msg_msg_free_security(struct msg_msg *msg)
4951 {
4952         msg_msg_free_security(msg);
4953 }
4954
4955 /* message queue security operations */
4956 static int selinux_msg_queue_alloc_security(struct msg_queue *msq)
4957 {
4958         struct ipc_security_struct *isec;
4959         struct avc_audit_data ad;
4960         u32 sid = current_sid();
4961         int rc;
4962
4963         rc = ipc_alloc_security(current, &msq->q_perm, SECCLASS_MSGQ);
4964         if (rc)
4965                 return rc;
4966
4967         isec = msq->q_perm.security;
4968
4969         AVC_AUDIT_DATA_INIT(&ad, IPC);
4970         ad.u.ipc_id = msq->q_perm.key;
4971
4972         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4973                           MSGQ__CREATE, &ad);
4974         if (rc) {
4975                 ipc_free_security(&msq->q_perm);
4976                 return rc;
4977         }
4978         return 0;
4979 }
4980
4981 static void selinux_msg_queue_free_security(struct msg_queue *msq)
4982 {
4983         ipc_free_security(&msq->q_perm);
4984 }
4985
4986 static int selinux_msg_queue_associate(struct msg_queue *msq, int msqflg)
4987 {
4988         struct ipc_security_struct *isec;
4989         struct avc_audit_data ad;
4990         u32 sid = current_sid();
4991
4992         isec = msq->q_perm.security;
4993
4994         AVC_AUDIT_DATA_INIT(&ad, IPC);
4995         ad.u.ipc_id = msq->q_perm.key;
4996
4997         return avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
4998                             MSGQ__ASSOCIATE, &ad);
4999 }
5000
5001 static int selinux_msg_queue_msgctl(struct msg_queue *msq, int cmd)
5002 {
5003         int err;
5004         int perms;
5005
5006         switch (cmd) {
5007         case IPC_INFO:
5008         case MSG_INFO:
5009                 /* No specific object, just general system-wide information. */
5010                 return task_has_system(current, SYSTEM__IPC_INFO);
5011         case IPC_STAT:
5012         case MSG_STAT:
5013                 perms = MSGQ__GETATTR | MSGQ__ASSOCIATE;
5014                 break;
5015         case IPC_SET:
5016                 perms = MSGQ__SETATTR;
5017                 break;
5018         case IPC_RMID:
5019                 perms = MSGQ__DESTROY;
5020                 break;
5021         default:
5022                 return 0;
5023         }
5024
5025         err = ipc_has_perm(&msq->q_perm, perms);
5026         return err;
5027 }
5028
5029 static int selinux_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, int msqflg)
5030 {
5031         struct ipc_security_struct *isec;
5032         struct msg_security_struct *msec;
5033         struct avc_audit_data ad;
5034         u32 sid = current_sid();
5035         int rc;
5036
5037         isec = msq->q_perm.security;
5038         msec = msg->security;
5039
5040         /*
5041          * First time through, need to assign label to the message
5042          */
5043         if (msec->sid == SECINITSID_UNLABELED) {
5044                 /*
5045                  * Compute new sid based on current process and
5046                  * message queue this message will be stored in
5047                  */
5048                 rc = security_transition_sid(sid, isec->sid, SECCLASS_MSG,
5049                                              &msec->sid);
5050                 if (rc)
5051                         return rc;
5052         }
5053
5054         AVC_AUDIT_DATA_INIT(&ad, IPC);
5055         ad.u.ipc_id = msq->q_perm.key;
5056
5057         /* Can this process write to the queue? */
5058         rc = avc_has_perm(sid, isec->sid, SECCLASS_MSGQ,
5059                           MSGQ__WRITE, &ad);
5060         if (!rc)
5061                 /* Can this process send the message */
5062                 rc = avc_has_perm(sid, msec->sid, SECCLASS_MSG,
5063                                   MSG__SEND, &ad);
5064         if (!rc)
5065                 /* Can the message be put in the queue? */
5066                 rc = avc_has_perm(msec->sid, isec->sid, SECCLASS_MSGQ,
5067                                   MSGQ__ENQUEUE, &ad);
5068
5069         return rc;
5070 }
5071
5072 static int selinux_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
5073                                     struct task_struct *target,
5074                                     long type, int mode)
5075 {
5076         struct ipc_security_struct *isec;
5077         struct msg_security_struct *msec;
5078         struct avc_audit_data ad;
5079         u32 sid = task_sid(target);
5080         int rc;
5081
5082         isec = msq->q_perm.security;
5083         msec = msg->security;
5084
5085         AVC_AUDIT_DATA_INIT(&ad, IPC);
5086         ad.u.ipc_id = msq->q_perm.key;
5087
5088         rc = avc_has_perm(sid, isec->sid,
5089                           SECCLASS_MSGQ, MSGQ__READ, &ad);
5090         if (!rc)
5091                 rc = avc_has_perm(sid, msec->sid,
5092                                   SECCLASS_MSG, MSG__RECEIVE, &ad);
5093         return rc;
5094 }
5095
5096 /* Shared Memory security operations */
5097 static int selinux_shm_alloc_security(struct shmid_kernel *shp)
5098 {
5099         struct ipc_security_struct *isec;
5100         struct avc_audit_data ad;
5101         u32 sid = current_sid();
5102         int rc;
5103
5104         rc = ipc_alloc_security(current, &shp->shm_perm, SECCLASS_SHM);
5105         if (rc)
5106                 return rc;
5107
5108         isec = shp->shm_perm.security;
5109
5110         AVC_AUDIT_DATA_INIT(&ad, IPC);
5111         ad.u.ipc_id = shp->shm_perm.key;
5112
5113         rc = avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5114                           SHM__CREATE, &ad);
5115         if (rc) {
5116                 ipc_free_security(&shp->shm_perm);
5117                 return rc;
5118         }
5119         return 0;
5120 }
5121
5122 static void selinux_shm_free_security(struct shmid_kernel *shp)
5123 {
5124         ipc_free_security(&shp->shm_perm);
5125 }
5126
5127 static int selinux_shm_associate(struct shmid_kernel *shp, int shmflg)
5128 {
5129         struct ipc_security_struct *isec;
5130         struct avc_audit_data ad;
5131         u32 sid = current_sid();
5132
5133         isec = shp->shm_perm.security;
5134
5135         AVC_AUDIT_DATA_INIT(&ad, IPC);
5136         ad.u.ipc_id = shp->shm_perm.key;
5137
5138         return avc_has_perm(sid, isec->sid, SECCLASS_SHM,
5139                             SHM__ASSOCIATE, &ad);
5140 }
5141
5142 /* Note, at this point, shp is locked down */
5143 static int selinux_shm_shmctl(struct shmid_kernel *shp, int cmd)
5144 {
5145         int perms;
5146         int err;
5147
5148         switch (cmd) {
5149         case IPC_INFO:
5150         case SHM_INFO:
5151                 /* No specific object, just general system-wide information. */
5152                 return task_has_system(current, SYSTEM__IPC_INFO);
5153         case IPC_STAT:
5154         case SHM_STAT:
5155                 perms = SHM__GETATTR | SHM__ASSOCIATE;
5156                 break;
5157         case IPC_SET:
5158                 perms = SHM__SETATTR;
5159                 break;
5160         case SHM_LOCK:
5161         case SHM_UNLOCK:
5162                 perms = SHM__LOCK;
5163                 break;
5164         case IPC_RMID:
5165                 perms = SHM__DESTROY;
5166                 break;
5167         default:
5168                 return 0;
5169         }
5170
5171         err = ipc_has_perm(&shp->shm_perm, perms);
5172         return err;
5173 }
5174
5175 static int selinux_shm_shmat(struct shmid_kernel *shp,
5176                              char __user *shmaddr, int shmflg)
5177 {
5178         u32 perms;
5179         int rc;
5180
5181         rc = secondary_ops->shm_shmat(shp, shmaddr, shmflg);
5182         if (rc)
5183                 return rc;
5184
5185         if (shmflg & SHM_RDONLY)
5186                 perms = SHM__READ;
5187         else
5188                 perms = SHM__READ | SHM__WRITE;
5189
5190         return ipc_has_perm(&shp->shm_perm, perms);
5191 }
5192
5193 /* Semaphore security operations */
5194 static int selinux_sem_alloc_security(struct sem_array *sma)
5195 {
5196         struct ipc_security_struct *isec;
5197         struct avc_audit_data ad;
5198         u32 sid = current_sid();
5199         int rc;
5200
5201         rc = ipc_alloc_security(current, &sma->sem_perm, SECCLASS_SEM);
5202         if (rc)
5203                 return rc;
5204
5205         isec = sma->sem_perm.security;
5206
5207         AVC_AUDIT_DATA_INIT(&ad, IPC);
5208         ad.u.ipc_id = sma->sem_perm.key;
5209
5210         rc = avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5211                           SEM__CREATE, &ad);
5212         if (rc) {
5213                 ipc_free_security(&sma->sem_perm);
5214                 return rc;
5215         }
5216         return 0;
5217 }
5218
5219 static void selinux_sem_free_security(struct sem_array *sma)
5220 {
5221         ipc_free_security(&sma->sem_perm);
5222 }
5223
5224 static int selinux_sem_associate(struct sem_array *sma, int semflg)
5225 {
5226         struct ipc_security_struct *isec;
5227         struct avc_audit_data ad;
5228         u32 sid = current_sid();
5229
5230         isec = sma->sem_perm.security;
5231
5232         AVC_AUDIT_DATA_INIT(&ad, IPC);
5233         ad.u.ipc_id = sma->sem_perm.key;
5234
5235         return avc_has_perm(sid, isec->sid, SECCLASS_SEM,
5236                             SEM__ASSOCIATE, &ad);
5237 }
5238
5239 /* Note, at this point, sma is locked down */
5240 static int selinux_sem_semctl(struct sem_array *sma, int cmd)
5241 {
5242         int err;
5243         u32 perms;
5244
5245         switch (cmd) {
5246         case IPC_INFO:
5247         case SEM_INFO:
5248                 /* No specific object, just general system-wide information. */
5249                 return task_has_system(current, SYSTEM__IPC_INFO);
5250         case GETPID:
5251         case GETNCNT:
5252         case GETZCNT:
5253                 perms = SEM__GETATTR;
5254                 break;
5255         case GETVAL:
5256         case GETALL:
5257                 perms = SEM__READ;
5258                 break;
5259         case SETVAL:
5260         case SETALL:
5261                 perms = SEM__WRITE;
5262                 break;
5263         case IPC_RMID:
5264                 perms = SEM__DESTROY;
5265                 break;
5266         case IPC_SET:
5267                 perms = SEM__SETATTR;
5268                 break;
5269         case IPC_STAT:
5270         case SEM_STAT:
5271                 perms = SEM__GETATTR | SEM__ASSOCIATE;
5272                 break;
5273         default:
5274                 return 0;
5275         }
5276
5277         err = ipc_has_perm(&sma->sem_perm, perms);
5278         return err;
5279 }
5280
5281 static int selinux_sem_semop(struct sem_array *sma,
5282                              struct sembuf *sops, unsigned nsops, int alter)
5283 {
5284         u32 perms;
5285
5286         if (alter)
5287                 perms = SEM__READ | SEM__WRITE;
5288         else
5289                 perms = SEM__READ;
5290
5291         return ipc_has_perm(&sma->sem_perm, perms);
5292 }
5293
5294 static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
5295 {
5296         u32 av = 0;
5297
5298         av = 0;
5299         if (flag & S_IRUGO)
5300                 av |= IPC__UNIX_READ;
5301         if (flag & S_IWUGO)
5302                 av |= IPC__UNIX_WRITE;
5303
5304         if (av == 0)
5305                 return 0;
5306
5307         return ipc_has_perm(ipcp, av);
5308 }
5309
5310 static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5311 {
5312         struct ipc_security_struct *isec = ipcp->security;
5313         *secid = isec->sid;
5314 }
5315
5316 static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5317 {
5318         if (inode)
5319                 inode_doinit_with_dentry(inode, dentry);
5320 }
5321
5322 static int selinux_getprocattr(struct task_struct *p,
5323                                char *name, char **value)
5324 {
5325         const struct task_security_struct *__tsec;
5326         u32 sid;
5327         int error;
5328         unsigned len;
5329
5330         if (current != p) {
5331                 error = current_has_perm(p, PROCESS__GETATTR);
5332                 if (error)
5333                         return error;
5334         }
5335
5336         rcu_read_lock();
5337         __tsec = __task_cred(p)->security;
5338
5339         if (!strcmp(name, "current"))
5340                 sid = __tsec->sid;
5341         else if (!strcmp(name, "prev"))
5342                 sid = __tsec->osid;
5343         else if (!strcmp(name, "exec"))
5344                 sid = __tsec->exec_sid;
5345         else if (!strcmp(name, "fscreate"))
5346                 sid = __tsec->create_sid;
5347         else if (!strcmp(name, "keycreate"))
5348                 sid = __tsec->keycreate_sid;
5349         else if (!strcmp(name, "sockcreate"))
5350                 sid = __tsec->sockcreate_sid;
5351         else
5352                 goto invalid;
5353         rcu_read_unlock();
5354
5355         if (!sid)
5356                 return 0;
5357
5358         error = security_sid_to_context(sid, value, &len);
5359         if (error)
5360                 return error;
5361         return len;
5362
5363 invalid:
5364         rcu_read_unlock();
5365         return -EINVAL;
5366 }
5367
5368 static int selinux_setprocattr(struct task_struct *p,
5369                                char *name, void *value, size_t size)
5370 {
5371         struct task_security_struct *tsec;
5372         struct task_struct *tracer;
5373         struct cred *new;
5374         u32 sid = 0, ptsid;
5375         int error;
5376         char *str = value;
5377
5378         if (current != p) {
5379                 /* SELinux only allows a process to change its own
5380                    security attributes. */
5381                 return -EACCES;
5382         }
5383
5384         /*
5385          * Basic control over ability to set these attributes at all.
5386          * current == p, but we'll pass them separately in case the
5387          * above restriction is ever removed.
5388          */
5389         if (!strcmp(name, "exec"))
5390                 error = current_has_perm(p, PROCESS__SETEXEC);
5391         else if (!strcmp(name, "fscreate"))
5392                 error = current_has_perm(p, PROCESS__SETFSCREATE);
5393         else if (!strcmp(name, "keycreate"))
5394                 error = current_has_perm(p, PROCESS__SETKEYCREATE);
5395         else if (!strcmp(name, "sockcreate"))
5396                 error = current_has_perm(p, PROCESS__SETSOCKCREATE);
5397         else if (!strcmp(name, "current"))
5398                 error = current_has_perm(p, PROCESS__SETCURRENT);
5399         else
5400                 error = -EINVAL;
5401         if (error)
5402                 return error;
5403
5404         /* Obtain a SID for the context, if one was specified. */
5405         if (size && str[1] && str[1] != '\n') {
5406                 if (str[size-1] == '\n') {
5407                         str[size-1] = 0;
5408                         size--;
5409                 }
5410                 error = security_context_to_sid(value, size, &sid);
5411                 if (error == -EINVAL && !strcmp(name, "fscreate")) {
5412                         if (!capable(CAP_MAC_ADMIN))
5413                                 return error;
5414                         error = security_context_to_sid_force(value, size,
5415                                                               &sid);
5416                 }
5417                 if (error)
5418                         return error;
5419         }
5420
5421         new = prepare_creds();
5422         if (!new)
5423                 return -ENOMEM;
5424
5425         /* Permission checking based on the specified context is
5426            performed during the actual operation (execve,
5427            open/mkdir/...), when we know the full context of the
5428            operation.  See selinux_bprm_set_creds for the execve
5429            checks and may_create for the file creation checks. The
5430            operation will then fail if the context is not permitted. */
5431         tsec = new->security;
5432         if (!strcmp(name, "exec")) {
5433                 tsec->exec_sid = sid;
5434         } else if (!strcmp(name, "fscreate")) {
5435                 tsec->create_sid = sid;
5436         } else if (!strcmp(name, "keycreate")) {
5437                 error = may_create_key(sid, p);
5438                 if (error)
5439                         goto abort_change;
5440                 tsec->keycreate_sid = sid;
5441         } else if (!strcmp(name, "sockcreate")) {
5442                 tsec->sockcreate_sid = sid;
5443         } else if (!strcmp(name, "current")) {
5444                 error = -EINVAL;
5445                 if (sid == 0)
5446                         goto abort_change;
5447
5448                 /* Only allow single threaded processes to change context */
5449                 error = -EPERM;
5450                 if (!is_single_threaded(p)) {
5451                         error = security_bounded_transition(tsec->sid, sid);
5452                         if (error)
5453                                 goto abort_change;
5454                 }
5455
5456                 /* Check permissions for the transition. */
5457                 error = avc_has_perm(tsec->sid, sid, SECCLASS_PROCESS,
5458                                      PROCESS__DYNTRANSITION, NULL);
5459                 if (error)
5460                         goto abort_change;
5461
5462                 /* Check for ptracing, and update the task SID if ok.
5463                    Otherwise, leave SID unchanged and fail. */
5464                 ptsid = 0;
5465                 task_lock(p);
5466                 tracer = tracehook_tracer_task(p);
5467                 if (tracer)
5468                         ptsid = task_sid(tracer);
5469                 task_unlock(p);
5470
5471                 if (tracer) {
5472                         error = avc_has_perm(ptsid, sid, SECCLASS_PROCESS,
5473                                              PROCESS__PTRACE, NULL);
5474                         if (error)
5475                                 goto abort_change;
5476                 }
5477
5478                 tsec->sid = sid;
5479         } else {
5480                 error = -EINVAL;
5481                 goto abort_change;
5482         }
5483
5484         commit_creds(new);
5485         return size;
5486
5487 abort_change:
5488         abort_creds(new);
5489         return error;
5490 }
5491
5492 static int selinux_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
5493 {
5494         return security_sid_to_context(secid, secdata, seclen);
5495 }
5496
5497 static int selinux_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
5498 {
5499         return security_context_to_sid(secdata, seclen, secid);
5500 }
5501
5502 static void selinux_release_secctx(char *secdata, u32 seclen)
5503 {
5504         kfree(secdata);
5505 }
5506
5507 #ifdef CONFIG_KEYS
5508
5509 static int selinux_key_alloc(struct key *k, const struct cred *cred,
5510                              unsigned long flags)
5511 {
5512         const struct task_security_struct *tsec;
5513         struct key_security_struct *ksec;
5514
5515         ksec = kzalloc(sizeof(struct key_security_struct), GFP_KERNEL);
5516         if (!ksec)
5517                 return -ENOMEM;
5518
5519         tsec = cred->security;
5520         if (tsec->keycreate_sid)
5521                 ksec->sid = tsec->keycreate_sid;
5522         else
5523                 ksec->sid = tsec->sid;
5524
5525         k->security = ksec;
5526         return 0;
5527 }
5528
5529 static void selinux_key_free(struct key *k)
5530 {
5531         struct key_security_struct *ksec = k->security;
5532
5533         k->security = NULL;
5534         kfree(ksec);
5535 }
5536
5537 static int selinux_key_permission(key_ref_t key_ref,
5538                                   const struct cred *cred,
5539                                   key_perm_t perm)
5540 {
5541         struct key *key;
5542         struct key_security_struct *ksec;
5543         u32 sid;
5544
5545         /* if no specific permissions are requested, we skip the
5546            permission check. No serious, additional covert channels
5547            appear to be created. */
5548         if (perm == 0)
5549                 return 0;
5550
5551         sid = cred_sid(cred);
5552
5553         key = key_ref_to_ptr(key_ref);
5554         ksec = key->security;
5555
5556         return avc_has_perm(sid, ksec->sid, SECCLASS_KEY, perm, NULL);
5557 }
5558
5559 static int selinux_key_getsecurity(struct key *key, char **_buffer)
5560 {
5561         struct key_security_struct *ksec = key->security;
5562         char *context = NULL;
5563         unsigned len;
5564         int rc;
5565
5566         rc = security_sid_to_context(ksec->sid, &context, &len);
5567         if (!rc)
5568                 rc = len;
5569         *_buffer = context;
5570         return rc;
5571 }
5572
5573 #endif
5574
5575 static struct security_operations selinux_ops = {
5576         .name =                         "selinux",
5577
5578         .ptrace_may_access =            selinux_ptrace_may_access,
5579         .ptrace_traceme =               selinux_ptrace_traceme,
5580         .capget =                       selinux_capget,
5581         .capset =                       selinux_capset,
5582         .sysctl =                       selinux_sysctl,
5583         .capable =                      selinux_capable,
5584         .task_capable =                 selinux_task_capable,
5585         .quotactl =                     selinux_quotactl,
5586         .quota_on =                     selinux_quota_on,
5587         .syslog =                       selinux_syslog,
5588         .vm_enough_memory =             selinux_vm_enough_memory,
5589
5590         .netlink_send =                 selinux_netlink_send,
5591         .netlink_recv =                 selinux_netlink_recv,
5592
5593         .bprm_set_creds =               selinux_bprm_set_creds,
5594         .bprm_check_security =          selinux_bprm_check_security,
5595         .bprm_committing_creds =        selinux_bprm_committing_creds,
5596         .bprm_committed_creds =         selinux_bprm_committed_creds,
5597         .bprm_secureexec =              selinux_bprm_secureexec,
5598
5599         .sb_alloc_security =            selinux_sb_alloc_security,
5600         .sb_free_security =             selinux_sb_free_security,
5601         .sb_copy_data =                 selinux_sb_copy_data,
5602         .sb_kern_mount =                selinux_sb_kern_mount,
5603         .sb_show_options =              selinux_sb_show_options,
5604         .sb_statfs =                    selinux_sb_statfs,
5605         .sb_mount =                     selinux_mount,
5606         .sb_umount =                    selinux_umount,
5607         .sb_set_mnt_opts =              selinux_set_mnt_opts,
5608         .sb_clone_mnt_opts =            selinux_sb_clone_mnt_opts,
5609         .sb_parse_opts_str =            selinux_parse_opts_str,
5610
5611
5612         .inode_alloc_security =         selinux_inode_alloc_security,
5613         .inode_free_security =          selinux_inode_free_security,
5614         .inode_init_security =          selinux_inode_init_security,
5615         .inode_create =                 selinux_inode_create,
5616         .inode_link =                   selinux_inode_link,
5617         .inode_unlink =                 selinux_inode_unlink,
5618         .inode_symlink =                selinux_inode_symlink,
5619         .inode_mkdir =                  selinux_inode_mkdir,
5620         .inode_rmdir =                  selinux_inode_rmdir,
5621         .inode_mknod =                  selinux_inode_mknod,
5622         .inode_rename =                 selinux_inode_rename,
5623         .inode_readlink =               selinux_inode_readlink,
5624         .inode_follow_link =            selinux_inode_follow_link,
5625         .inode_permission =             selinux_inode_permission,
5626         .inode_setattr =                selinux_inode_setattr,
5627         .inode_getattr =                selinux_inode_getattr,
5628         .inode_setxattr =               selinux_inode_setxattr,
5629         .inode_post_setxattr =          selinux_inode_post_setxattr,
5630         .inode_getxattr =               selinux_inode_getxattr,
5631         .inode_listxattr =              selinux_inode_listxattr,
5632         .inode_removexattr =            selinux_inode_removexattr,
5633         .inode_getsecurity =            selinux_inode_getsecurity,
5634         .inode_setsecurity =            selinux_inode_setsecurity,
5635         .inode_listsecurity =           selinux_inode_listsecurity,
5636         .inode_need_killpriv =          selinux_inode_need_killpriv,
5637         .inode_killpriv =               selinux_inode_killpriv,
5638         .inode_getsecid =               selinux_inode_getsecid,
5639
5640         .file_permission =              selinux_file_permission,
5641         .file_alloc_security =          selinux_file_alloc_security,
5642         .file_free_security =           selinux_file_free_security,
5643         .file_ioctl =                   selinux_file_ioctl,
5644         .file_mmap =                    selinux_file_mmap,
5645         .file_mprotect =                selinux_file_mprotect,
5646         .file_lock =                    selinux_file_lock,
5647         .file_fcntl =                   selinux_file_fcntl,
5648         .file_set_fowner =              selinux_file_set_fowner,
5649         .file_send_sigiotask =          selinux_file_send_sigiotask,
5650         .file_receive =                 selinux_file_receive,
5651
5652         .dentry_open =                  selinux_dentry_open,
5653
5654         .task_create =                  selinux_task_create,
5655         .cred_free =                    selinux_cred_free,
5656         .cred_prepare =                 selinux_cred_prepare,
5657         .cred_commit =                  selinux_cred_commit,
5658         .kernel_act_as =                selinux_kernel_act_as,
5659         .kernel_create_files_as =       selinux_kernel_create_files_as,
5660         .task_setuid =                  selinux_task_setuid,
5661         .task_fix_setuid =              selinux_task_fix_setuid,
5662         .task_setgid =                  selinux_task_setgid,
5663         .task_setpgid =                 selinux_task_setpgid,
5664         .task_getpgid =                 selinux_task_getpgid,
5665         .task_getsid =                  selinux_task_getsid,
5666         .task_getsecid =                selinux_task_getsecid,
5667         .task_setgroups =               selinux_task_setgroups,
5668         .task_setnice =                 selinux_task_setnice,
5669         .task_setioprio =               selinux_task_setioprio,
5670         .task_getioprio =               selinux_task_getioprio,
5671         .task_setrlimit =               selinux_task_setrlimit,
5672         .task_setscheduler =            selinux_task_setscheduler,
5673         .task_getscheduler =            selinux_task_getscheduler,
5674         .task_movememory =              selinux_task_movememory,
5675         .task_kill =                    selinux_task_kill,
5676         .task_wait =                    selinux_task_wait,
5677         .task_prctl =                   selinux_task_prctl,
5678         .task_to_inode =                selinux_task_to_inode,
5679
5680         .ipc_permission =               selinux_ipc_permission,
5681         .ipc_getsecid =                 selinux_ipc_getsecid,
5682
5683         .msg_msg_alloc_security =       selinux_msg_msg_alloc_security,
5684         .msg_msg_free_security =        selinux_msg_msg_free_security,
5685
5686         .msg_queue_alloc_security =     selinux_msg_queue_alloc_security,
5687         .msg_queue_free_security =      selinux_msg_queue_free_security,
5688         .msg_queue_associate =          selinux_msg_queue_associate,
5689         .msg_queue_msgctl =             selinux_msg_queue_msgctl,
5690         .msg_queue_msgsnd =             selinux_msg_queue_msgsnd,
5691         .msg_queue_msgrcv =             selinux_msg_queue_msgrcv,
5692
5693         .shm_alloc_security =           selinux_shm_alloc_security,
5694         .shm_free_security =            selinux_shm_free_security,
5695         .shm_associate =                selinux_shm_associate,
5696         .shm_shmctl =                   selinux_shm_shmctl,
5697         .shm_shmat =                    selinux_shm_shmat,
5698
5699         .sem_alloc_security =           selinux_sem_alloc_security,
5700         .sem_free_security =            selinux_sem_free_security,
5701         .sem_associate =                selinux_sem_associate,
5702         .sem_semctl =                   selinux_sem_semctl,
5703         .sem_semop =                    selinux_sem_semop,
5704
5705         .d_instantiate =                selinux_d_instantiate,
5706
5707         .getprocattr =                  selinux_getprocattr,
5708         .setprocattr =                  selinux_setprocattr,
5709
5710         .secid_to_secctx =              selinux_secid_to_secctx,
5711         .secctx_to_secid =              selinux_secctx_to_secid,
5712         .release_secctx =               selinux_release_secctx,
5713
5714         .unix_stream_connect =          selinux_socket_unix_stream_connect,
5715         .unix_may_send =                selinux_socket_unix_may_send,
5716
5717         .socket_create =                selinux_socket_create,
5718         .socket_post_create =           selinux_socket_post_create,
5719         .socket_bind =                  selinux_socket_bind,
5720         .socket_connect =               selinux_socket_connect,
5721         .socket_listen =                selinux_socket_listen,
5722         .socket_accept =                selinux_socket_accept,
5723         .socket_sendmsg =               selinux_socket_sendmsg,
5724         .socket_recvmsg =               selinux_socket_recvmsg,
5725         .socket_getsockname =           selinux_socket_getsockname,
5726         .socket_getpeername =           selinux_socket_getpeername,
5727         .socket_getsockopt =            selinux_socket_getsockopt,
5728         .socket_setsockopt =            selinux_socket_setsockopt,
5729         .socket_shutdown =              selinux_socket_shutdown,
5730         .socket_sock_rcv_skb =          selinux_socket_sock_rcv_skb,
5731         .socket_getpeersec_stream =     selinux_socket_getpeersec_stream,
5732         .socket_getpeersec_dgram =      selinux_socket_getpeersec_dgram,
5733         .sk_alloc_security =            selinux_sk_alloc_security,
5734         .sk_free_security =             selinux_sk_free_security,
5735         .sk_clone_security =            selinux_sk_clone_security,
5736         .sk_getsecid =                  selinux_sk_getsecid,
5737         .sock_graft =                   selinux_sock_graft,
5738         .inet_conn_request =            selinux_inet_conn_request,
5739         .inet_csk_clone =               selinux_inet_csk_clone,
5740         .inet_conn_established =        selinux_inet_conn_established,
5741         .req_classify_flow =            selinux_req_classify_flow,
5742
5743 #ifdef CONFIG_SECURITY_NETWORK_XFRM
5744         .xfrm_policy_alloc_security =   selinux_xfrm_policy_alloc,
5745         .xfrm_policy_clone_security =   selinux_xfrm_policy_clone,
5746         .xfrm_policy_free_security =    selinux_xfrm_policy_free,
5747         .xfrm_policy_delete_security =  selinux_xfrm_policy_delete,
5748         .xfrm_state_alloc_security =    selinux_xfrm_state_alloc,
5749         .xfrm_state_free_security =     selinux_xfrm_state_free,
5750         .xfrm_state_delete_security =   selinux_xfrm_state_delete,
5751         .xfrm_policy_lookup =           selinux_xfrm_policy_lookup,
5752         .xfrm_state_pol_flow_match =    selinux_xfrm_state_pol_flow_match,
5753         .xfrm_decode_session =          selinux_xfrm_decode_session,
5754 #endif
5755
5756 #ifdef CONFIG_KEYS
5757         .key_alloc =                    selinux_key_alloc,
5758         .key_free =                     selinux_key_free,
5759         .key_permission =               selinux_key_permission,
5760         .key_getsecurity =              selinux_key_getsecurity,
5761 #endif
5762
5763 #ifdef CONFIG_AUDIT
5764         .audit_rule_init =              selinux_audit_rule_init,
5765         .audit_rule_known =             selinux_audit_rule_known,
5766         .audit_rule_match =             selinux_audit_rule_match,
5767         .audit_rule_free =              selinux_audit_rule_free,
5768 #endif
5769 };
5770
5771 static __init int selinux_init(void)
5772 {
5773         if (!security_module_enable(&selinux_ops)) {
5774                 selinux_enabled = 0;
5775                 return 0;
5776         }
5777
5778         if (!selinux_enabled) {
5779                 printk(KERN_INFO "SELinux:  Disabled at boot.\n");
5780                 return 0;
5781         }
5782
5783         printk(KERN_INFO "SELinux:  Initializing.\n");
5784
5785         /* Set the security state for the initial task. */
5786         cred_init_security();
5787
5788         sel_inode_cache = kmem_cache_create("selinux_inode_security",
5789                                             sizeof(struct inode_security_struct),
5790                                             0, SLAB_PANIC, NULL);
5791         avc_init();
5792
5793         secondary_ops = security_ops;
5794         if (!secondary_ops)
5795                 panic("SELinux: No initial security operations\n");
5796         if (register_security(&selinux_ops))
5797                 panic("SELinux: Unable to register with kernel.\n");
5798
5799         if (selinux_enforcing)
5800                 printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
5801         else
5802                 printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
5803
5804         return 0;
5805 }
5806
5807 void selinux_complete_init(void)
5808 {
5809         printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
5810
5811         /* Set up any superblocks initialized prior to the policy load. */
5812         printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
5813         spin_lock(&sb_lock);
5814         spin_lock(&sb_security_lock);
5815 next_sb:
5816         if (!list_empty(&superblock_security_head)) {
5817                 struct superblock_security_struct *sbsec =
5818                                 list_entry(superblock_security_head.next,
5819                                            struct superblock_security_struct,
5820                                            list);
5821                 struct super_block *sb = sbsec->sb;
5822                 sb->s_count++;
5823                 spin_unlock(&sb_security_lock);
5824                 spin_unlock(&sb_lock);
5825                 down_read(&sb->s_umount);
5826                 if (sb->s_root)
5827                         superblock_doinit(sb, NULL);
5828                 drop_super(sb);
5829                 spin_lock(&sb_lock);
5830                 spin_lock(&sb_security_lock);
5831                 list_del_init(&sbsec->list);
5832                 goto next_sb;
5833         }
5834         spin_unlock(&sb_security_lock);
5835         spin_unlock(&sb_lock);
5836 }
5837
5838 /* SELinux requires early initialization in order to label
5839    all processes and objects when they are created. */
5840 security_initcall(selinux_init);
5841
5842 #if defined(CONFIG_NETFILTER)
5843
5844 static struct nf_hook_ops selinux_ipv4_ops[] = {
5845         {
5846                 .hook =         selinux_ipv4_postroute,
5847                 .owner =        THIS_MODULE,
5848                 .pf =           PF_INET,
5849                 .hooknum =      NF_INET_POST_ROUTING,
5850                 .priority =     NF_IP_PRI_SELINUX_LAST,
5851         },
5852         {
5853                 .hook =         selinux_ipv4_forward,
5854                 .owner =        THIS_MODULE,
5855                 .pf =           PF_INET,
5856                 .hooknum =      NF_INET_FORWARD,
5857                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5858         },
5859         {
5860                 .hook =         selinux_ipv4_output,
5861                 .owner =        THIS_MODULE,
5862                 .pf =           PF_INET,
5863                 .hooknum =      NF_INET_LOCAL_OUT,
5864                 .priority =     NF_IP_PRI_SELINUX_FIRST,
5865         }
5866 };
5867
5868 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5869
5870 static struct nf_hook_ops selinux_ipv6_ops[] = {
5871         {
5872                 .hook =         selinux_ipv6_postroute,
5873                 .owner =        THIS_MODULE,
5874                 .pf =           PF_INET6,
5875                 .hooknum =      NF_INET_POST_ROUTING,
5876                 .priority =     NF_IP6_PRI_SELINUX_LAST,
5877         },
5878         {
5879                 .hook =         selinux_ipv6_forward,
5880                 .owner =        THIS_MODULE,
5881                 .pf =           PF_INET6,
5882                 .hooknum =      NF_INET_FORWARD,
5883                 .priority =     NF_IP6_PRI_SELINUX_FIRST,
5884         }
5885 };
5886
5887 #endif  /* IPV6 */
5888
5889 static int __init selinux_nf_ip_init(void)
5890 {
5891         int err = 0;
5892
5893         if (!selinux_enabled)
5894                 goto out;
5895
5896         printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
5897
5898         err = nf_register_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5899         if (err)
5900                 panic("SELinux: nf_register_hooks for IPv4: error %d\n", err);
5901
5902 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5903         err = nf_register_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5904         if (err)
5905                 panic("SELinux: nf_register_hooks for IPv6: error %d\n", err);
5906 #endif  /* IPV6 */
5907
5908 out:
5909         return err;
5910 }
5911
5912 __initcall(selinux_nf_ip_init);
5913
5914 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5915 static void selinux_nf_ip_exit(void)
5916 {
5917         printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
5918
5919         nf_unregister_hooks(selinux_ipv4_ops, ARRAY_SIZE(selinux_ipv4_ops));
5920 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
5921         nf_unregister_hooks(selinux_ipv6_ops, ARRAY_SIZE(selinux_ipv6_ops));
5922 #endif  /* IPV6 */
5923 }
5924 #endif
5925
5926 #else /* CONFIG_NETFILTER */
5927
5928 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5929 #define selinux_nf_ip_exit()
5930 #endif
5931
5932 #endif /* CONFIG_NETFILTER */
5933
5934 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
5935 static int selinux_disabled;
5936
5937 int selinux_disable(void)
5938 {
5939         extern void exit_sel_fs(void);
5940
5941         if (ss_initialized) {
5942                 /* Not permitted after initial policy load. */
5943                 return -EINVAL;
5944         }
5945
5946         if (selinux_disabled) {
5947                 /* Only do this once. */
5948                 return -EINVAL;
5949         }
5950
5951         printk(KERN_INFO "SELinux:  Disabled at runtime.\n");
5952
5953         selinux_disabled = 1;
5954         selinux_enabled = 0;
5955
5956         /* Reset security_ops to the secondary module, dummy or capability. */
5957         security_ops = secondary_ops;
5958
5959         /* Unregister netfilter hooks. */
5960         selinux_nf_ip_exit();
5961
5962         /* Unregister selinuxfs. */
5963         exit_sel_fs();
5964
5965         return 0;
5966 }
5967 #endif